Privacy Compliance Service: CALIFORNIA Page 1 of 90

PRIVACY COMPLIANCE SERVICE

CALIFORNIA

Revised: June 2018

What's new in this revision?

† indicates substantive changes between May 2016 and the current revision date.

‡ indicates an addition to the scope of the Compliance Service.

If no flags are present, no substantive changes have been made and no topics have been added. Please check the State

Cover Page periodically for any relevant new laws or regulations available after the latest revision date of this state

chapter.

TABLE OF CONTENTS

Statutory references contained herein are to West's Annotated California Code. Regulatory

references contained herein are to the California Code of Regulations.

SCOPE

FINANCIAL AND MEDICAL INFORMATION PRIVACY

INSURANCE CODE

DIVISION 1. GENERAL RULES GOVERNING INSURANCE

PART 2. THE BUSINESS OF INSURANCE

CHAPTER 1. GENERAL REGULATIONS

Article 6.6. Insurance Information And Privacy Protection Act

CA Ins. §791.01. Scope Of Article

CA Ins. §791.02. Definitions

CA Ins. §791.03. Pretext Interviews

CA Ins. §791.04. Notice Of Personal Information Practices; Applicants Or Policyholders

CA Ins. §791.05. Questions Designed Solely For Marketing Or Research Purposes

CA Ins. §791.06. Disclosure Authorization Forms; Requirements For Forms Or Statements

CA Ins. §791.07. Investigative Consumer Reports; Information Concerning Interview And Copies Of Reports

CA Ins. §791.08. Response To Request For Access To Recorded Personal Information; Time; Medical Record

Information; Fee

CA Ins. §791.09. Correction, Amendment, Or Deletion Of Recorded Personal Information; Notice; Statement

Of Individual

CA Ins. §791.10. Adverse Underwriting Decisions; Declination, Cancellation Or Nonrenewal Of Enumerated

Policies; Specific Reasons For Decision

CA Ins. §791.11. Prohibited Information Concerning Previous Adverse Underwriting Decisions Or Previous

Insurance Coverage

CA Ins. §791.12. Adverse Underwriting Decision; Prohibited Grounds

CA Ins. §791.13. Requisites To Disclosure Of Personal Or Privileged Information; Authorization; Persons To

Whom Disclosure May Be Made

CA Ins. §791.14. Examination And Investigation Of Insurance Institutions, Agents, Or Insurance-Support

Organizations

CA Ins. §791.15. Violations Of Article; Statement Of Charges; Notice Of Hearing; Conduct Of Hearing; Service

Of Process

CA Ins. §791.16. Service Of Process; Insurance-Support Organizations Transacting Business Outside State

CA Ins. §791.17. Findings; Cease And Desist Orders; Written Reports; Service Of Process; Modification Or

Setting Aside Of Orders Or Reports

CA Ins. §791.18. Judicial Review; Finality Of Order Or Report

CA Ins. §791.19. Violation Of Cease And Desist Order; Penalties

CA Ins. §791.20. Equitable Relief; Damages; Costs; Attorney's Fees; Limitation Of Actions

CA Ins. §791.21. Immunity From Defamation, Invasion Of Privacy Or Negligence Actions; Exception For Malice

Or Willful Intent

CA Ins. §791.22. Obtaining Information Under False Pretenses; Penalties

CA Ins. §791.23. Effective Date Of Rights Under Sections 791.08, 791.09 And 791.13; Effect Upon

Section 770.1

CIVIL CODE

DIVISION 1. PERSONS

of 90Privacy Compliance Service: CALIFORNIA

11/28/2018https://members.acli.com/-/media/ACLI/Members/Files/Compliance/Compliance-Service...

PART 2.6. CONFIDENTIALITY OF MEDICAL INFORMATION

CHAPTER 1. DEFINITIONS

CA Civ. Code §56. Short Title

CA Civ. Code §56.05. Definitions

CA Civ. Code §56.06. Business Organized For The Purpose Of Maintaining Medical Information In Order To

Supply Information To Individual Or Health Care Provider For Specified Purposes; Business Offering

Hardware Or Software Designed To Make Medical Information Available To Individuals Or Health Care

Providers; Confidentiality; Penalties

CA Civ. Code §56.07. Medical Profile, Summary, Or Information Provided; Patient's Written Request;

Application

CHAPTER 2. DISCLOSURE OF MEDICAL INFORMATION BY PROVIDERS

CA Civ. Code §56.10. Authorization; Compelled Disclosure; Other Permitted Disclosures

CA Civ. Code §56.104. Patient's Participation In Outpatient Treatment With Psychotherapist; Request For

Information; Application Of Section

CA Civ. Code §56.11. Authorization; Form And Contents

CA Civ. Code §56.13. Further Disclosure By Recipient Of Medical Information

CA Civ. Code §56.14. Communication Of Limitations Of Authorization To Recipient Of Medical Information

CHAPTER 5. USE AND DISCLOSURE OF MEDICAL AND OTHER INFORMATION BY THIRD PARTY ADMINISTRATORS

AND OTHERS

CA Civ. Code §56.265. Annuity Contracts; Disclosure Of Individually Identifiable Information Concerning

Health, Medical Or Genetic History; Prohibition

CHAPTER 6. RELATIONSHIP TO EXISTING LAW

CA Civ. Code §56.27. Employer That Is Insurance Institution, Agent Or Support Organization; Disclosure Not

In Violation Of §56.20

CHAPTER 7. VIOLATIONS

CA Civ. Code §56.35. Compensatory And Punitive Damages; Attorneys' Fees And Costs

CA Civ. Code §56.36. Misdemeanors; Violations; Remedies

FINANCIAL CODE

DIVISION 1.4. CALIFORNIA FINANCIAL INFORMATION PRIVACY ACT

CA Fin. Code §4050. Short Title

CA Fin. Code §4051. Legislative Intent

CA Fin. Code §4051.5. Legislative Findings And Declarations

CA Fin. Code §4052. Definitions

CA Fin. Code §4052.5. Prohibition Against Disclosure Of Nonpublic Personal Information

CA Fin. Code §4053. Consent Requirement To Disclose Nonpublic Personal Information; Requirements

And Regulation

CA Fin. Code §4053.5. Disclosure Of Nonpublic Personal Information By Entity That Receives Information;

Permitted Uses

CA Fin. Code §4054. Required Electronic Or Written Notice To Consumers

CA Fin. Code §4054.6. Agreements Between Financial Institutions And Affinity Partners To Issue Credit Cards

Or Financial Products Or Services; Disclosure Of Information; Requirements

CA Fin. Code §4056. Application Of Division; Conditions For Release Of Nonpublic Personal Information By

Financial Institutions

CA Fin. Code §4056.5. Persons Or Entities With License And/Or Written Contractual Agreement With Another

Licensed Person Or Entity; Disclosure Of Information; Contents Of Contract

CA Fin. Code §4057. Liability For Negligent Disclosure Of Nonpublic Personal Information; Civil Penalty And

Damages; Factors To Determine Amount Of Penalty

CA Fin. Code §4058. Authority Of Department Or State Agency To Regulate Financial Institutions

CA Fin. Code §4058.5. Preemption; Prospective And Retroactive Application

CA Fin. Code §4058.7. Combining Forms

CA Fin. Code §4059. Severable Provisions

CA Fin. Code §4060. Operation Of Division

TITLE 10. INVESTMENT

CHAPTER 5. INSURANCE COMMISSIONER

Subchapter 5.9. Privacy Of Nonpublic Personal Information

Article 1. General Provisions

CA Admin. Code tit. 10 §2689.1. Authority And Purpose

CA Admin. Code tit. 10 §2689.2. Scope

CA Admin. Code tit. 10 §2689.3. Disclosure Of Information

CA Admin. Code tit. 10 §2689.4. Definitions

Article 2. Privacy Notices; Opt Out Notices For Nonpublic Personal Financial Information

CA Admin. Code tit. 10 §2689.5. Initial Privacy Notice



CA Admin. Code tit. 10 §2689.6. Annual Privacy Notice

CA Admin. Code tit. 10 §2689.7. Information To Be Included In Privacy Notices

CA Admin. Code tit. 10 §2689.8. Form Of Opt Out Notice And Opt Out Methods

CA Admin. Code tit. 10 §2689.9. Revised Privacy Notices

CA Admin. Code tit. 10 §2689.10. Delivery Of Notices

Article 3. Limits On Disclosures Of Medical Record Information

CA Admin. Code tit. 10 §2689.11. Disclosure Of Medical Record Information

Article 4. Standards For Safeguarding Nonpublic Personal Information

CA Admin. Code tit. 10 §2689.12. General Provisions


CA Admin. Code tit. 10 §2689.14. Information Security Program

CA Admin. Code tit. 10 §2689.15. Objectives Of Information Security Program

CA Admin. Code tit. 10 §2689.16. Assess Risk

CA Admin. Code tit. 10 §2689.17. Manage And Control Risk

CA Admin. Code tit. 10 §2689.18. Service Providers

CA Admin. Code tit. 10 §2689.19. Adjust The Program

CA Admin. Code tit. 10 §2689.20. Enforcement

Article 5. Additional Provisions

CA Admin. Code tit. 10 §2689.21. Protection Of Fair Credit Reporting Act

CA Admin. Code tit. 10 §2689.22. Nondiscrimination

CA Admin. Code tit. 10 §2689.23. Severability

CA Admin. Code tit. 10 §2689.24. Effective Date; Contracts With Nonaffiliated Third Parties [Sample Clauses]

ADDITIONAL ADMINISTRATIVE MATERIAL

CA Notice 3-27-2003. Department Of Insurance Privacy Regulations

CA Notice 5-16-2014. Notification Of Improper Personal Information Disclosures And Security Breaches

SOCIAL SECURITY NUMBER PRIVACY

CIVIL CODE

DIVISION 3. OBLIGATIONS

PART 4. OBLIGATIONS ARISING FROM PARTICULAR TRANSACTIONS

TITLE 1.81.1. CONFIDENTIALITY OF SOCIAL SECURITY NUMBERS

CA Civ. Code §1798.85. Prohibited Actions With Respect To Social Security Numbers; Application And

Exceptions; Operative Dates With Respect To Specified Entities

CA Civ. Code §1798.89. Recording Or Filing Of Documents; Display Of Social Security Numbers; Due Diligence

In Using Truncated Social Security Numbers

INFORMATION SECURITY AND SAFEGUARDS

CIVIL CODE



TITLE 1.81. CUSTOMER RECORDS


CA Civ. Code §1798.81. Reasonable Steps For Disposal Of Customer Records

CA Civ. Code §1798.81.5. Security Procedures And Practices With Respect To Personal Information About

California Residents

CA Civ. Code §1798.82. Person Or Business Who Owns Or Licenses Computerized Data Including Person

Information; Breach Of Security Of The System; Disclosure Requirements†

CA Civ. Code §1798.83. Personal Information; Disclosure To Direct Marketers

CA Civ. Code §1798.84. Waiver And Violations Of Provisions Of This Title; Civil Actions And Penalties; Disposal

Of Abandoned Records Containing Personal Information; Attorney's Fees And Costs

INTERNET PRIVACY AND E-MAIL SOLICITATION

BUSINESS AND PROFESSIONS CODE

DIVISION 7. GENERAL BUSINESS REGULATIONS

PART 3. REPRESENTATIONS TO THE PUBLIC

CHAPTER 1. ADVERTISING

Article 1.8. Restrictions On Unsolicited Commercial E-Mail Advertisers

CA Bus. Prof. Code §17529.1. Definitions

CA Bus. Prof. Code §17529.2. Prohibited Activities

CA Bus. Prof. Code §17529.3. Providers Of Internet Access Services; Application Of Article

CA Bus. Prof. Code §17529.4. Unlawful Activities Relating To E-Mail Addresses; Automated Gathering Of

Certain Information



CA Bus. Prof. Code §17529.5. Unlawful Activities Relating To Commercial E-Mail Advertisements; Additional

Remedies

CA Bus. Prof. Code §17529.8. Remedies

CA Bus. Prof. Code §17529.9. Severability

Article 2. Particular Offenses

CA Bus. Prof. Code §17538.43. Use Of Telephone Facsimile Machine To Send Unsolicited Advertisement;

Initiating Facsimile Communication; Prohibitions

DIVISION 8. SPECIAL BUSINESS REGULATIONS

CHAPTER 22. INTERNET PRIVACY REQUIREMENTS

CA Bus. Prof. Code §22575. Commercial Web Site Operators; Posting Of Privacy Policy; Violation Of

Subdivision For Failure To Post Policy; Policy Requirements

CA Bus. Prof. Code §22576. Violation Of Section For Failure To Comply With Provisions Of Posted Privacy Policy

CA Bus. Prof. Code §22577. Definitions

CHAPTER 33. ANTI-PHISHING ACT OF 2005

CA Bus. Prof. Code §22948. Short Title


CA Bus. Prof. Code §22948.2. Unlawful Requests By Misrepresentation

CA Bus. Prof. Code §22948.3. Remedies For Violation

DO NOT CALL AND TELEPHONE SOLICITATION





Article 8. Unsolicited And Unwanted Telephone Solicitations

CA Bus. Prof. Code §17591. "Do Not Call" List; Unlawful Activities

CA Bus. Prof. Code §17592. Prohibited Calls

CA Bus. Prof. Code §17593. Civil Actions

FAIR CREDIT REPORTING

CIVIL CODE



TITLE 1.6. CONSUMER CREDIT REPORTING AGENCIES ACT

CHAPTER 1. GENERAL PROVISIONS

CA Civ. Code §1785.2. Short Title


CA Civ. Code §1785.4. Inapplicability To Private Detectives; Exception

CA Civ. Code §1785.5. Assembly, Evaluation Or Dissemination Of Information On Checking Account

Experiences Of Financial Institution Customers

CA Civ. Code §1785.6. Consumer Notice Or Disclosure; California Addresses

CHAPTER 2. OBLIGATIONS OF CONSUMER CREDIT REPORTING AGENCIES

CA Civ. Code §1785.10. Inspection Of Files By Consumer; Advice To Consumer; Coded Files; Availability Of

Information; Disclosure Of Recipients Of Credit Reports And Inquiries; Reselling Report Or Information;

Exemptions

CA Civ. Code §1785.11. Furnishing Consumer Report; Circumstances

CA Civ. Code §1785.11.1. Security Alerts In Credit Reports

CHAPTER 3. REQUIREMENTS ON USERS OF CONSUMER CREDIT REPORTS

CA Civ. Code §1785.20. Adverse Action Based On Consumer Credit Report Information; Notice And Disclosure

To Consumer; Denial Of Credit Or Insurance Or Increase In Charge Because Of Information From One

Other Than Agency; Liability

CA Civ. Code §1785.20.1. Credit Transactions Not Initiated By Consumer; Solicitation To Consumer; Required

Statement; Prequalifying Reports; Consumer's Consent

CA Civ. Code §1785.20.2. Loans To Consumers; Use Of Consumer Credit Score; Information To Be Provided

To Consumer; Notice And Form

CA Civ. Code §1785.20.3. Consumer Credit Reports With Approval Of Credit Based On Application For Credit

Extension; Consumer Address Error With Respect To Identity Theft; Verification Safeguard; Violations

CA Civ. Code §1785.20.5. Report For Employment Purposes; Prior Notice To Person Involved;

Contemporaneous Copies For User And Subject; Denial Of Employment; Identity Of Reporter; Notice By

User To Consumer; Liability

CA Civ. Code §1785.21. Contact Of Reporter By User At Request Of Consumer; Investigation Of Disputed Item

Of Information; Report By Reporter To User And Consumer

CA Civ. Code §1785.22. Reselling Report Or Information; Disclosure To Agency; Requirements



CHAPTER 3.5. OBLIGATIONS OF FURNISHERS OF CREDIT INFORMATION

CA Civ. Code §1785.25. Incomplete Or Inaccurate Information; Knowledge; Notification To Agency; Dispute As

To Completeness Or Accuracy; Notice; Closing Of Open-End Credit Account; Delinquent Accounts;

Investigation Of Dispute; Liability Of Furnisher

CA Civ. Code §1785.26. Creditor; Negative Credit Information; Notification To Consumer; Form And Service Of

Notice; Liability Of Creditor

TITLE 1.6A. INVESTIGATIVE CONSUMER REPORTING AGENCIES

Article 2. Obligations of Investigative Consumer Reporting Agencies

CA Civ. Code §1786.40. Consumer Insurance Request Denied; Notice To Consumer Of Adverse Action


CA Bulletin 76-3. Disclosure Requirements—California Civil Code §§1785.1 And 1786—Consumer Credit And

Investigative Consumer Reporting Agencies

OTHER PROVISIONS

CIVIL CODE



TITLE 1.3. CREDIT CARDS

CA Civ. Code §1747.08. Personal Identification Information; Prohibition Upon Collection Of Data Upon Credit

Card Transaction Form; Exemptions; Civil Penalties And Injunctive Relief

SCOPE

What’s Included

ACLI’s Privacy Compliance Service contains laws, regulations, and other administrative requirements that may impact life

insurers’ consumer information practices. This publication includes laws and regulations that expressly apply to life

insurers or may be interpreted to apply to life insurers.

State and federal chapters are organized by the following topics:

● Financial and medical privacy

● Social security number privacy

● Information security and safeguards

● Internet privacy and e-mail solicitation

● Do not call and telephone solicitation

● Fair credit reporting

● Other provisions

Within each topic, statutes are listed first, followed by regulations and other administrative material such as bulletins,

letters, and notices. Regulation citations are preceded by “Reg.” to easily distinguish them from statutes.

What’s Not Included

Laws and regulations that expressly exclude life insurers are not included here. Also, confidentiality, consent and

disclosure provisions specific to genetic testing and HIV/AIDS testing are not reproduced in the Privacy Compliance

Service but are located in ACLI’s Risk Classification Compliance Service. In California, refer to §§799 et seq., 10140.1,

10146 et seq. of the Insurance Code; §§1374.7, 120980 and 120990 of the Health and Safety Code; and California Code

of Regulations title 10, §2218.20 for these provisions.

Other ACLI Resources

"Privacy and Confidentiality Requirements" — a multi-state Life Insurance Law Survey covering state adoption of three

NAIC privacy models: the Insurance Information and Privacy Protection Model Act, the Privacy of Consumer Financial and

Health Information Model Regulation and the Standards for Safeguarding Customer Information Model Regulation.

"Privacy: Telephone/E-Mail/Fax Solicitation" — a multi-state Life Insurance Law Survey covering state laws and

regulations designed to protect the privacy of consumers being solicited by telephone, e-mail or fax.

"Privacy: Social Security Number Restrictions" — a multi-state Life Insurance Law Survey concerning state restrictions on

obtaining, disclosing, displaying or using an individual's Social Security number.



"Privacy: Security Breach" — a multi-state Life Insurance Law Survey on state requirements regarding notification in the

event of a breach in the security of personal information.

FINANCIAL AND MEDICAL INFORMATION PRIVACY

INSURANCE CODE

DIVISION 1. GENERAL RULES GOVERNING INSURANCE

PART 2. THE BUSINESS OF INSURANCE

CHAPTER 1. GENERAL REGULATIONS

Article 6.6. Insurance Information And Privacy Protection Act

CA Ins. §791.01. Scope Of Article

[Last amended by Laws 1981, Ch. 121, §1.]

(a) The obligations imposed by this article shall apply to those insurance institutions, agents or insurance-support

organizations which, on or after October 1, 1981:

(1) In the case of life or disability insurance:

(A) Collect, receive or maintain information in connection with insurance transactions which pertains to natural

persons who are residents of this state, or

(B) Engage in insurance transactions with applicants, individuals or policyholders who are residents of this state.

(2) In the case of property or casualty insurance:

(A) Collect, receive or maintain information in connection with insurance transactions involving policies, contracts

or certificates of insurance delivered, issued for delivery or renewed in this state, or

(B) Engage in insurance transactions involving policies, contracts or certificates of insurance delivered, issued for

delivery or renewed in this state.

(b) The rights granted by this article shall extend to:

(1) In the case of life or disability insurance, the following persons who are residents of this state:

(A) Natural persons who are the subject of information collected, received or maintained in connection with

insurance transactions.

(B) Applicants, individuals or policyholders who engage in or seek to engage in insurance transactions.

(2) In the case of property or casualty insurance, the following persons:

(A) Natural persons who are the subject of information collected, received or maintained in connection with

insurance transactions involving policies, contracts or certificates of insurance delivered, issued for delivery or

renewed in this state, and

(B) Applicants, individuals or policyholders who engage in or seek to engage in insurance transactions involving

policies, contracts or certificates of insurance delivered, issued for delivery or renewed in this state.

(c) For purposes of this section, a person shall be considered a resident of this state if the person's last known mailing

address, as shown in the records of the insurance institution, agent, or insurance-support organization, is located in this

state.

(d) This article shall not apply to any person or entity engaged in the business of title insurance as defined in Section

12340.3.

(e) This article shall not apply to a person or entity engaged in the business of a home protection company, as defined in

Section 12740, which does not obtain or maintain personal information, as defined in this article, of its policyholders and

applicants.



(f) Insurance institutions, agents, insurance support organizations or any insurance transaction subject to this article

shall be exempt from Part 2.6 (commencing with Section 56) of Division 1 of, and Sections 1785.20 and 1786.40 of, the

Civil Code.

CA Ins. §791.02. Definitions

[Last amended by Laws 2013, Ch. 444 (S.B. 138), §17.]

As used in this act:

(a)(1) "Adverse underwriting decision" means any of the following actions with respect to insurance transactions

involving insurance coverage that is individually underwritten:

(A) A declination of insurance coverage.

(B) A termination of insurance coverage.

(C) Failure of an agent to apply for insurance coverage with a specific insurance institution that the agent

represents and that is requested by an applicant.

(D) In the case of a property or casualty insurance coverage:

(i) Placement by an insurance institution or agent of a risk with a residual market mechanism, with an

unauthorized insurer, or with an insurance institution that provides insurance to other than preferred or

standard risks, if in fact the placement is at other than a preferred or standard rate. An adverse underwriting

decision, in case of placement with an insurance institution that provides insurance to other than preferred or

standard risks, shall not include placement if the applicant or insured did not specify or apply for placement as

a preferred or standard risk or placement with a particular company insuring preferred or standard risks, or

(ii) The charging of a higher rate on the basis of information which differs from that which the applicant or

policyholder furnished.

(E) In the case of a life, health, or disability insurance coverage, an offer to insure at higher than standard rates.

(2) Notwithstanding paragraph (1), any of the following actions shall not be considered adverse underwriting

decisions but the insurance institution or agent responsible for their occurrence shall nevertheless provide the

applicant or policyholder with the specific reason or reasons for their occurrence:

(A) The termination of an individual policy form on a class or statewide basis.

(B) A declination of insurance coverage solely because coverage is not available on a class or statewide basis.

(C) The rescission of a policy.

(b) "Affiliate" or "affiliated" means a person that directly, or indirectly through one or more intermediaries, controls, is

controlled by or is under common control with another person.

(c) "Agent" means any person licensed pursuant to Chapter 5 (commencing with Section 1621), Chapter 5A

(commencing with Section 1759), Chapter 6 (commencing with Section 1760), Chapter 7 (commencing with Section

1800), or Chapter 8 (commencing with Section 1831).

(d) "Applicant" means any person who seeks to contract for insurance coverage other than a person seeking group

insurance that is not individually underwritten.

(e) "Consumer report" means any written, oral, or other communication of information bearing on a natural person's

creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of

living that is used or expected to be used in connection with an insurance transaction.

(f) "Consumer reporting agency" means any person who:

(1) Regularly engages, in whole or in part, in the practice of assembling or preparing consumer reports for a

monetary fee.

(2) Obtains information primarily from sources other than insurance institutions.

(3) Furnishes consumer reports to other persons.

(g) "Control," including the terms "controlled by" or "under common control with," means the possession, direct or

indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the

ownership of voting securities, by contract other than a commercial contract for goods or nonmanagement services, or

otherwise, unless the power is the result of an official position with or corporate office held by the person.



(h) "Declination of insurance coverage" means a denial, in whole or in part, by an insurance institution or agent of

requested insurance coverage.

(i) "Individual" means any natural person who is any of the following:

(1) In the case of property or casualty insurance, is a past, present, or proposed named insured or certificate holder.

(2) In the case of life or disability insurance, is a past, present, or proposed principal insured or certificate holder.

(3) Is a past, present, or proposed policyowner.

(4) Is a past or present applicant.

(5) Is a past or present claimant.

(6) Derived, derives, or is proposed to derive insurance coverage under an insurance policy or certificate subject to

this act.

(j) "Institutional source" means any person or governmental entity that provides information about an individual to an

agent, insurance institution, or insurance-support organization, other than any of the following:

(1) An agent.

(2) The individual who is the subject of the information.

(3) A natural person acting in a personal capacity rather than in a business or professional capacity.

(k) "Insurance institution" means any corporation, association, partnership, reciprocal exchange, interinsurer, Lloyd's

insurer, fraternal benefit society, or other person engaged in the business of insurance. "Insurance institution" shall not

include agents, insurance-support organizations, or health care service plans regulated pursuant to the Knox-Keene

Health Care Service Plan Act, Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code.

(l) "Insurance-support organization" means:

(1) Any person who regularly engages, in whole or in part, in the business of assembling or collecting information

about natural persons for the primary purpose of providing the information to an insurance institution or agent for

insurance transactions, including either of the following:

(A) The furnishing of consumer reports or investigative consumer reports to an insurance institution or agent for

use in connection with an insurance transaction.

(B) The collection of personal information from insurance institutions, agents, or other insurance-support

organizations for the purpose of detecting or preventing fraud, material misrepresentation or material

nondisclosure in connection with insurance underwriting or insurance claim activity.

(2) Notwithstanding paragraph (1), the following persons shall not be considered "insurance-support organizations":

agents, governmental institutions, insurance institutions, medical care institutions, medical professionals, and peer

review committees.

(m) "Insurance transaction" means any transaction involving insurance primarily for personal, family, or household needs

rather than business or professional needs that entails either of the following:

(1) The determination of an individual's eligibility for an insurance coverage, benefit, or payment.

(2) The servicing of an insurance application, policy, contract, or certificate.

(n) "Investigative consumer report" means a consumer report or portion thereof in which information about a natural

person's character, general reputation, personal characteristics, or mode of living is obtained through personal interviews

with the person's neighbors, friends, associates, acquaintances, or others who may have knowledge concerning those

items of information.

(o) "Medical care institution" means any facility or institution that is licensed to provide health care services to natural

persons, including but not limited to, hospitals, skilled nursing facilities, home health agencies, medical clinics,

rehabilitation agencies, and public health agencies.

(p) "Medical professional" means any person licensed or certified to provide health care services to natural persons,

including but not limited to, a physician, dentist, nurse, optometrist, physical or occupational therapist, psychiatric social

worker, clinical dietitian, clinical psychologist, chiropractor, pharmacist, or speech therapist.

(q) "Medical record information" means personal information that is both of the following:

(1) Relates to an individual's physical or mental condition, medical history or medical treatment.



(2) Is obtained from a medical professional or medical care institution, from the individual, or from the individual's

spouse, parent, or legal guardian.

(r) "Person" means any natural person, corporation, association, partnership, limited liability company, or other legal

entity.

(s) "Personal information" means any individually identifiable information gathered in connection with an insurance

transaction from which judgments can be made about an individual's character, habits, avocations, finances, occupation,

general reputation, credit, health, or any other personal characteristics. "Personal information" includes an individual's

name and address and "medical record information" but does not include "privileged information."

(t) "Policyholder" means any person who is any of the following:

(1) In the case of individual property or casualty insurance, is a present named insured.

(2) In the case of individual life or disability insurance, is a present policyowner.

(3) In the case of group insurance, which is individually underwritten, is a present group certificate holder.

(u) "Pretext interview" means an interview whereby a person, in an attempt to obtain information about a natural

person, performs one or more of the following acts:

(1) Pretends to be someone he or she is not.

(2) Pretends to represent a person he or she is not in fact representing.

(3) Misrepresents the true purpose of the interview.

(4) Refuses to identify himself or herself upon request.

(v) "Privileged information" means any individually identifiable information that both:

(1) Relates to a claim for insurance benefits or a civil or criminal proceeding involving an individual.

(2) Is collected in connection with or in reasonable anticipation of a claim for insurance benefits or civil or criminal

proceeding involving an individual. However, information otherwise meeting the requirements of this division shall

nevertheless be considered "personal information" under this act if it is disclosed in violation of Section 791.13.

(w) "Residual market mechanism" means the California FAIR Plan Association, Chapter 10 (commencing with Section

10101) of Part 1 of Division 2, and the assigned risk plan, Chapter 1 (commencing with Section 11550) of Part 3 of

Division 2.

(x) "Termination of insurance coverage" or "termination of an insurance policy" means either a cancellation or

nonrenewal of an insurance policy, in whole or in part, for any reason other than the failure to pay a premium as

required by the policy.

(y) "Unauthorized insurer" means an insurance institution that has not been granted a certificate of authority by the

director to transact the business of insurance in this state.

(z) "Commissioner" means the Insurance Commissioner.

(aa) “Confidential communications request” means a request by an insured covered under a health insurance policy that

insurance communications containing medical information be communicated to him or her at a specific mail or email

address or specific telephone number, as designated by the insured.

(ab) “Endanger” means that the insured covered under a health insurance policy fears that the disclosure of his or her

medical information could subject the insured covered under a health insurance policy to harassment or abuse.

(ac) “Sensitive services” means all health care services described in Sections 6924, 6925, 6926, 6927, 6928, and 6929 of

the Family Code, and Sections 121020 and 124260 of the Health and Safety Code, obtained by a patient of any age at or

above the minimum age specified for consenting to the service specified in the section.

(ad) “Medical information” means any individually identifiable information, in electronic or physical form, in possession of

or derived from a provider of health care, health insurer, pharmaceutical company, or contractor regarding a patient's

medical history, mental or physical condition, or treatment. “Individually identifiable” means that the medical information

includes or contains any element of personal identifying information sufficient to allow identification of the individual,

such as the patient's name, address, electronic mail address, telephone number, or social security number, or other

information that, alone or in combination with other publicly available information, reveals the individual's identity.

CA Ins. §791.03. Pretext Interviews




No insurance institution, agent or insurance-support organization shall use or authorize the use of pretext interviews to

obtain information in connection with an insurance transaction; provided, however, that a pretext interview may be

undertaken to obtain information from a person or institution that does not have a generally or statutorily recognized

privileged relationship with the person to whom the information relates for the purpose of investigating a claim where

there is a reasonable basis for suspecting criminal activity, fraud, material misrepresentation or material nondisclosure in

connection with a claim.

CA Ins. §791.04. Notice Of Personal Information Practices; Applicants Or Policyholders


(a) An insurance institution or agent shall provide a notice of information practices to all applicants or policyholders in

connection with insurance transactions as provided below:

(1) In the case of a written application for insurance, a notice shall be provided no later than:

(A) At the time of the delivery of the insurance policy or certificate when personal information is collected only

from the applicant, an insured under the policy, or from public records; or

(B) At the time the collection of personal information is initiated when personal information is collected from a

source other than the applicant, an insured under the policy, or public records.

(2) In the case of a policy renewal, a notice shall be provided no later than the policy renewal date or the date upon

which policy renewal is confirmed, except that no notice shall be required in connection with a policy renewal if either

of the following applies:

(A) Personal information is collected only from the policyholder, an insured under the policy, or from public

records.

(B) A notice meeting the requirements of this section has been given within the previous 24 months.

(3) In the case of a policy reinstatement or change in insurance benefits, a notice shall be provided no later than the

time a request for a policy reinstatement or change in insurance benefits is received by the insurance institution,

except that no notice shall be required if personal information is collected only from the policyholder, an insured

under the policy, or from public records or if a notice meeting the requirements of this section has been given within

the previous 24 months.

(b) The notice required by subdivision (a) shall be in writing and shall state all of the following:

(1) Whether personal information may be collected from persons other than the individual or individuals proposed for

coverage.

(2) The types of personal information that may be collected and the types of sources and investigative techniques

that may be used to collect such information.

(3) The types of disclosures identified in subdivisions (b), (c), (d), (e), (f), (i), (k), (l), and (n) of Section 791.13 and

the circumstances under which the disclosures may be made without prior authorization, except that only those

circumstances need be described which occur with such frequency as to indicate a general business practice.

(4) A description of the rights established under Sections 791.08 and 791.09 and the manner in which the rights may

be exercised.

(5) That information obtained from a report prepared by an insurance-support organization may be retained by the

insurance-support organization and disclosed to other persons.

(c) In lieu of the notice prescribed in subdivision (b), the insurance institution or agent may provide an abbreviated

notice informing the applicant or policyholder of the following:

(1) Personal information may be collected from persons other than the individual or individuals proposed for

coverage.

(2) Such information as well as other personal or privileged information subsequently collected by the insurance

institution or agent may in certain circumstances be disclosed to third parties without authorization.

(3) A right of access and correction exists with respect to all personal information collected.

(4) The notice prescribed in subdivision (b) will be furnished to the applicant or policyholder upon request.

(d) The obligations imposed by this section upon an insurance institution or agent may be satisfied by another insurance

institution or agent authorized to act on its behalf.



CA Ins. §791.05. Questions Designed Solely For Marketing Or Research Purposes


An insurance institution or agent shall clearly specify those questions designed to obtain information solely for marketing

or research purposes from an individual in connection with an insurance transaction.

CA Ins. §791.06. Disclosure Authorization Forms; Requirements For Forms Or Statements


Notwithstanding any other provision of law, no insurance institution, agent or insurance-support organization may utilize

as its disclosure authorization form in connection with insurance transactions a form or statement which authorizes the

disclosure of personal or privileged information about an individual to the insurance institution, agent, or insurance-

support organization unless the form or statement:

(a) Is written in plain language.

(b) Is dated.

(c) Specifies the types of persons authorized to disclose information about the individual.

(d) Specifies the nature of the information authorized to be disclosed.

(e) Names the insurance institution or agent and identifies by generic reference representatives of the insurance

institution to whom the individual is authorizing information to be disclosed.

(f) Specifies the purposes for which the information is collected.

(g) Specifies the length of time the authorization shall remain valid, which shall be no longer than:

(1) In the case of authorizations signed for the purpose of collecting information in connection with an application for

an insurance policy, a policy reinstatement or a request for change in policy benefits:

(A) Thirty months from the date the authorization is signed if the application or request involves life, health or

disability insurance; or

(B) One year from the date the authorization is signed if the application or request involves property or casualty

insurance.

(2) In the case of authorizations signed for the purpose of collecting information in connection with a claim for

benefits under an insurance policy:

(A) The term of coverage of the policy if the claim is for a health insurance benefit; or

(B) The duration of the claim if the claim is not for a health insurance benefit; or

(C) The duration of all claims processing activity performed in connection with all claims for benefits made by any

person entitled to benefits under a nonprofit hospital service contract.

(h) Advises the individual or a person authorized to act on behalf of the individual that the individual or the individual's

authorized representative is entitled to receive a copy of the authorization form.

(i) This section shall not be construed to require any authorization for the receipt of personal or privileged information

about an individual.

CA Ins. §791.07. Investigative Consumer Reports; Information Concerning Interview And Copies Of Reports


(a) No insurance institution, agent or insurance-support organization may prepare or request an investigative consumer

report about an individual in connection with an insurance transaction involving an application for insurance, a policy

renewal, a policy reinstatement or a change in insurance benefits unless the insurance institution or agent informs the

individual of the following:

(1) That he or she may request to be interviewed in connection with the preparation of the investigative consumer

report, and

(2) That upon a request pursuant to Section 791.08, he or she is entitled to receive a copy of the investigative

consumer report.

(b) If an investigative consumer report is to be prepared by an insurance institution or agent, the insurance institution or

agent shall institute reasonable procedures to conduct a personal interview requested by an individual.



(c) If an investigative consumer report is to be prepared by an insurance-support organization, the insurance institution

or agent desiring such report shall inform the insurance-support organization whether a personal interview has been

requested by the individual. The insurance-support organization shall institute reasonable procedures to conduct such

interviews, if requested.

CA Ins. §791.08. Response To Request For Access To Recorded Personal Information; Time; Medical Record

Information; Fee


(a) If any individual, after proper identification, submits a written request to an insurance institution, agent or insurance-

support organization for access to recorded personal information about the individual which is reasonably described by

the individual and reasonably locatable and retrievable by the insurance institution, agent or insurance-support

organization, the insurance institution, agent or insurance-support organization shall within 30 business days from the

date such request is received:

(1) Inform the individual of the nature and substance of such recorded personal information in writing, by telephone

or by other oral communication, whichever the insurance institution, agent or insurance-support organization prefers;

(2) Permit the individual to see and copy, in person, such recorded personal information pertaining to him or her or to

obtain a copy of such recorded personal information by mail, whichever the individual prefers, unless such recorded

personal information is in coded form, in which case an accurate translation in plain language shall be provided in

writing;

(3) Disclose to the individual the identity, if recorded, of those persons to whom the insurance institution, agent or

insurance-support organization has disclosed such personal information within two years prior to such request, and if

the identity is not recorded, the names of those insurance institutions, agents, insurance-support organizations or

other persons to whom such information is normally disclosed; and

(4) Provide the individual with a summary of the procedures by which he or she may request correction, amendment

or deletion of recorded personal information.

(b) Any personal information provided pursuant to subdivision (a) above shall identify the source of the information if

such source is an institutional source.

(c) Medical record information supplied by a medical care institution or medical professional and requested under

subdivision (a), together with the identity of the medical professional or medical care institution which provided such

information, shall be supplied either directly to the individual or to a medical professional designated by the individual

and licensed to provide medical care with respect to the condition to which the information relates, whichever the

individual prefers. Mental health record information shall be supplied directly to the individual, pursuant to this section,

only with the approval of the qualified professional person with treatment responsibility for the condition to which the

information relates. If it elects to disclose the information to a medical professional designated by the individual, the

insurance institution, agent or insurance-support organization shall notify the individual, at the time of the disclosure,

that it has provided the information to the medical professional.

(d) Except for personal information provided under Section 791.10, an insurance institution, agent or insurance-support

organization may charge a reasonable fee to cover the costs incurred in providing a copy of recorded personal

information to individuals.

(e) The obligations imposed by this section upon an insurance institution or agent may be satisfied by another insurance

institution or agent authorized to act on its behalf. With respect to the copying and disclosure of recorded personal

information pursuant to a request under subdivision (a), an insurance institution, agent or insurance-support

organization may make arrangements with an insurance-support organization or a consumer reporting agency to copy

and disclose recorded personal information on its behalf.

(f) The rights granted to individuals in this section shall extend to all natural persons to the extent information about

them is collected and maintained by an insurance institution, agent or insurance-support organization in connection with

an insurance transaction. The rights granted to all natural persons by this subdivision shall not extend to information

about them that relates to and is collected in connection with or in reasonable anticipation of a claim or civil or criminal

proceeding involving them.

(g) For purposes of this section, the term "insurance-support organization" does not include "consumer reporting

agency".

CA Ins. §791.09. Correction, Amendment, Or Deletion Of Recorded Personal Information; Notice; Statement

Of Individual




(a) Within 30 business days from the date of receipt of a written request from an individual to correct, amend or delete

any recorded personal information about the individual within its possession, an insurance institution, agent or insurance-

support organization shall either:

(1) Correct, amend or delete the portion of the recorded personal information in dispute; or

(2) Notify the individual of:

(A) Its refusal to make such correction, amendment or deletion.

(B) The reasons for the refusal.

(C) The individual's right to file a statement as provided in subdivision (c).

(b) If the insurance institution, agent or insurance-support organization corrects, amends or deletes recorded personal

information in accordance with paragraph (1) of subdivision (a), the insurance institution, agent or insurance-support

organization shall so notify the individual in writing and furnish the correction, amendment or fact of deletion to:

(1) Any person specifically designated by the individual who may have, within the preceding two years, received such

recorded personal information.

(2) Any insurance-support organization whose primary source of personal information is insurance institutions if the

insurance-support organization has systematically received such recorded personal information from the insurance

institution within the preceding seven years; provided, however, that the correction, amendment or fact of deletion

need not be furnished if the insurance-support organization no longer maintains recorded personal information about

the individual.

(3) Any insurance-support organization that furnished the personal information that has been corrected, amended or

deleted.

(c) Whenever an individual disagrees with an insurance institution's, agent's or insurance-support organization's refusal

to correct, amend or delete recorded personal information, the individual shall be permitted to file with the insurance

institution, agent or insurance-support organization:

(1) A concise statement setting forth what the individual thinks is the correct, relevant or fair information.

(2) A concise statement of the reasons why the individual disagrees with the insurance institution's, agent's or

insurance-support organization's refusal to correct, amend or delete recorded personal information.

(d) In the event an individual files either statement as described in subdivision (c), the insurance institution, agent or

support organization shall:

(1) File the statement with the disputed personal information and provide a means by which anyone reviewing the

disputed personal information will be made aware of the individual's statement and have access to it.

(2) In any subsequent disclosure by the insurance institution, agent or support organization of the recorded personal

information that is the subject of disagreement, clearly identify the matter or matters in dispute and provide the

individual's statement along with the recorded personal information being disclosed.

(3) Furnish the statement to the persons and in the manner specified in subdivision (b).

(e) The rights granted to individuals in this section shall extend to all natural persons to the extent information about

them is collected and maintained by an insurance institution, agent or insurance-support organization in connection with

an insurance transaction. The rights granted to all natural persons by this subdivision shall not extend to information

about them that relates to and is collected in connection with or in reasonable anticipation of a claim or civil or criminal

proceeding involving them.

(f) For purposes of this section, the term "insurance-support organization" does not include "consumer reporting

agency".

CA Ins. §791.10. Adverse Underwriting Decisions; Declination, Cancellation Or Nonrenewal Of Enumerated

Policies; Specific Reasons For Decision


(a) In the event of an adverse underwriting decision the insurance institution or agent responsible for the decision shall:

(1) Either provide the applicant, policyholder, or individual proposed for coverage with the specific reason or reasons

for the adverse underwriting decision in writing or, except as provided in subdivision (e), advise the person that upon

written request he or she may receive the specific reason or reasons in writing.



(2) Provide the applicant, policyholder or individual proposed for coverage with a summary of the rights established

under subdivision (b) and Sections 791.08 and 791.09.

(b) Upon receipt of a written request within 90 business days from the date of the mailing of notice or other

communication of an adverse underwriting decision to an applicant, policyholder or individual proposed for coverage, the

insurance institution or agent shall furnish to such person within 21 business days from the date of receipt of such

written request:

(1) The specific reason or reasons for the adverse underwriting decision, in writing, if such information was not

initially furnished in writing pursuant to paragraph (1) of subdivision (a).

(2) The specific items of personal and privileged information that support those reasons; provided, however:

(A) The insurance institution or agent shall not be required to furnish specific items of privileged information if it

has a reasonable suspicion, based upon specific information available for review by the commissioner, that the

applicant, policyholder or individual proposed for coverage has engaged in criminal activity, fraud, material

misrepresentation or material nondisclosure.

(B) Specific items of medical record information supplied by a medical care institution or medical professional shall

be disclosed either directly to the individual about whom the information relates or to a medical professional

designated by the individual and licensed to provide medical care with respect to the condition to which the

information relates, whichever the individual prefers.

Mental health record information shall be supplied directly to the individual, pursuant to this subdivision, only with

the approval of the qualified professional person with treatment responsibility for the condition to which the

information relates.

(3) The names and addresses of the institutional sources that supplied the specific items of information given

pursuant to paragraph (2) of subdivision (b); provided, however, that the identity of any medical professional or

medical care institution shall be disclosed either directly to the individual or to the designated medical professional,

whichever the individual prefers.

(c) The obligations imposed by this section upon an insurance institution or agent may be satisfied by another insurance

institution or agent authorized to act on its behalf.

(d) When an adverse underwriting decision results solely from an oral request or inquiry, the explanation of reasons and

summary of rights required by subdivision (a) or (e) may be given orally to the extent that such information is available.

(e) Except as provided in subdivision (d), with respect to a declination, cancellation, or nonrenewal of a property

insurance policy covered by Section 675 or an automobile insurance policy covered by Section 660, or an individual life,

health, or disability insurance policy, the insurance institution or agent responsible for the decision shall provide the

specific reason or reasons in writing at the time of the decision. The communication of medical record information for a

life or health insurance policy shall be subject to the disclosure requirements of subparagraph (B) of paragraph (2) of

subdivision (a). This subdivision shall become operative on July 1, 2006.

CA Ins. §791.11. Prohibited Information Concerning Previous Adverse Underwriting Decisions Or Previous

Insurance Coverage

[Enacted by Laws 1980, Ch. 1214, §1.]

No insurance institution, agent or insurance-support organization may seek information in connection with an insurance

transaction concerning:

(a) Any previous adverse underwriting decision experienced by an individual, or

(b) Any previous insurance coverage obtained by an individual through a residual market mechanism, unless such inquiry

also requests the reasons for any previous adverse underwriting decision or the reasons why insurance coverage was

previously obtained through a residual market mechanism.

CA Ins. §791.12. Adverse Underwriting Decision; Prohibited Grounds

[Last amended by Laws 2012, Ch. 823 (A.B. 2298), §3.]

No insurance institution or agent may base an adverse underwriting decision in whole or in part on the following:

(a) On the fact of a previous adverse underwriting decision or on the fact that an individual previously obtained insurance

coverage through a residual market mechanism; provided, however, an insurance institution or agent may base an

adverse underwriting decision on further information obtained from an insurance institution or agent responsible for a

previous adverse underwriting decision. The further information, when requested, shall create a conclusive presumption



that the information is necessary to perform the requesting insurer's function in connection with an insurance transaction

involving the individual and, when reasonably available, shall be furnished the requesting insurer and the individual, if

applicable.

(b) On personal information received from an insurance-support organization whose primary source of information is

insurance institutions; provided, however, an insurance institution or agent may base an adverse underwriting decision

on further personal information obtained as the result of information received from an insurance-support organization.

(c) On the fact that an individual has previously inquired and received information about the scope or nature of coverage

under a residential fire or property insurance policy, if the information is received from an insurance-support organization

whose primary source of information is insurance institutions and the inquiry did not result in the filing of a claim.

(d) On the fact that an accident involving a peace officer, member of the Department of the California Highway Patrol, or

firefighter has been reported and the insurer retains no liability pursuant to Section 488.5 and subdivision (b) of Section

557.5.

CA Ins. §791.13. Requisites To Disclosure Of Personal Or Privileged Information; Authorization; Persons To

Whom Disclosure May Be Made


An insurance institution, agent, or insurance-support organization shall not disclose any personal or privileged

information about an individual collected or received in connection with an insurance transaction unless the disclosure is:

(a) With the written authorization of the individual, and meets either of the conditions specified in paragraph (1) or (2):

(1) If the authorization is submitted by another insurance institution, agent, or insurance-support organization, the

authorization meets the requirement of Section 791.06.

(2) If the authorization is submitted by a person other than an insurance institution, agent, or insurance-support

organization, the authorization is:

(A) Dated.

(B) Signed by the individual.

(C) Obtained one year or less prior to the date a disclosure is sought pursuant to this section.

(b) To a person other than an insurance institution, agent, or insurance-support organization, provided the disclosure is

reasonably necessary:

(1) To enable the person to perform a business, professional or insurance function for the disclosing insurance

institution, agent, or insurance-support organization or insured and the person agrees not to disclose the information

further without the individual's written authorization unless the further disclosure:

(A) Would otherwise be permitted by this section if made by an insurance institution, agent, or insurance-support

organization; or

(B) Is reasonably necessary for such person to perform its function for the disclosing insurance institution, agent,

or insurance-support organization.

(2) To enable the person to provide information to the disclosing insurance institution, agent or insurance-support

organization for the purpose of:

(A) Determining an individual's eligibility for an insurance benefit or payment; or

(B) Detecting or preventing criminal activity, fraud, material misrepresentation or material nondisclosure in

connection with an insurance transaction.

(c) To an insurance institution, agent, insurance-support organization or self-insurer, provided the information disclosed

is limited to that which is reasonably necessary under either paragraph (1) or (2):

(1) To detect or prevent criminal activity, fraud, material misrepresentation or material nondisclosure in connection

with insurance transactions; or

(2) For either the disclosing or receiving insurance institution, agent or insurance-support organization to perform its

function in connection with an insurance transaction involving the individual.

(d) To a medical-care institution or medical professional for the purpose of any of the following:

(1) Verifying insurance coverage or benefits.

(2) Informing an individual of a medical problem of which the individual may not be aware.



(3) Conducting operations or services audit, provided only such information is disclosed as is reasonably necessary to

accomplish the foregoing purposes.

(e) To an insurance regulatory authority; or

(f) To a law enforcement or other governmental authority pursuant to law.

(g) Otherwise permitted or required by law.

(h) In response to a facially valid administrative or judicial order, including a search warrant or subpoena.

(i) Made for the purpose of conducting actuarial or research studies, provided:

(1) No individual may be identified in any actuarial or research report.

(2) Materials allowing the individual to be identified are returned or destroyed as soon as they are no longer needed.

(3) The actuarial or research organization agrees not to disclose the information unless the disclosure would

otherwise be permitted by this section if made by an insurance institution, agent or insurance-support organization.

(j) To a party or a representative of a party to a proposed or consummated sale, transfer, merger or consolidation of all

or part of the business of the insurance institution, agent or insurance-support organization, provided:

(1) Prior to the consummation of the sale, transfer, merger, or consolidation only such information is disclosed as is

reasonably necessary to enable the recipient to make business decisions about the purchase, transfer, merger, or

consolidation.

(2) The recipient agrees not to disclose the information unless the disclosure would otherwise be permitted by this

section if made by an insurance institution, agent or insurance-support organization.

(k) To a person whose only use of the information will be in connection with the marketing of a product or service,

provided:

(1) No medical-record information, privileged information, or personal information relating to an individual's

character, personal habits, mode of living, or general reputation is disclosed, and no classification derived from the

information is disclosed; or

(2) The individual has been given an opportunity to indicate that he or she does not want personal information

disclosed for marketing purposes and has given no indication that he or she does not want the information disclosed;

and

(3) The person receiving such information agrees not to use it except in connection with the marketing of a product

or service.

(l) To an affiliate whose only use of the information will be in connection with an audit of the insurance institution or

agent or the marketing of an insurance product or service, provided the affiliate agrees not to disclose the information for

any other purpose or to unaffiliated persons.

(m) By a consumer reporting agency, provided the disclosure is to a person other than an insurance institution or agent.

(n) To a group policyholder for the purpose of reporting claims experience or conducting an audit of the insurance

institution's or agent's operations or services, provided the information disclosed is reasonably necessary for the group

policyholder to conduct the review or audit.

(o) To a professional peer review organization for the purpose of reviewing the service or conduct of a medical-care

institution or medical professional.

(p) To a governmental authority for the purpose of determining the individual's eligibility for health benefits for which the

governmental authority may be liable.

(q) To a certificate holder or policyholder for the purpose of providing information regarding the status of an insurance

transaction.

(r) To a lienholder, mortgagee, assignee, lessor, or other person shown on the records of an insurance institution or

agent as having a legal or beneficial interest in a policy of insurance. The information disclosed shall be limited to that

which is reasonably necessary to permit the person to protect his or her interest in the policy and shall be consistent with

Article 5.5 (commencing with Section 770).

(s) To an insured or the insured's lawyer when the information disclosed is from an accident report, supplemental report,

investigative report or the actual report from a government agency or is a copy of an accident report or other report

which the insured is entitled to obtain under Section 20012 of the Vehicle Code or subdivision (f) of Section 6254 of the

Government Code.



CA Ins. §791.14. Examination And Investigation Of Insurance Institutions, Agents, Or Insurance-Support

Organizations


(a) The commissioner shall have power to examine and investigate into the affairs of every insurance institution or agent

doing business in this state to determine whether the insurance institution or agent has been or is engaged in any

conduct in violation of this article.

(b) The commissioner shall have the power to examine and investigate into the affairs of every insurance-support

organization acting on behalf of an insurance institution or agent which either transacts business in this state or transacts

business outside this state that has an effect on a person residing in this state in order to determine whether such

insurance-support organization has been or is engaged in any conduct in violation of this article.

CA Ins. §791.15. Violations Of Article; Statement Of Charges; Notice Of Hearing; Conduct Of Hearing; Service

Of Process


(a) Whenever the commissioner has reason to believe that an insurance institution, agent or insurance-support

organization has been or is engaged in conduct in this state which violates this article, or if the commissioner believes

that an insurance-support organization has been or is engaged in conduct outside this state which has an effect on a

person residing in this state and which violates this article, the commissioner shall issue and serve upon such insurance

institution, agent or insurance-support organization a statement of charges and notice of hearing to be held at a time and

place fixed in the notice. The date for such hearing shall be not less than 30 days after the date of service.

(b) At the time and place fixed for such hearing the insurance institution, agent or insurance-support organization

charged shall have an opportunity to answer the charges against it and present evidence on its behalf. Upon good cause

shown, the commissioner shall permit any adversely affected person to intervene, appear and be heard at such hearing

by counsel or in person.

(c) At any hearing conducted pursuant to this section the commissioner may administer oaths, examine and cross-

examine witnesses and receive oral and documentary evidence. The commissioner shall have the power to subpoena

witnesses, compel their attendance and require the production of books, papers, records, correspondence and other

documents which are relevant to the hearing. A stenographic record of the hearing shall be made upon the request of

any party or at the discretion of the commissioner. If no stenographic record is made and if judicial review is sought, the

commissioner shall prepare a statement of the evidence for use on review. Hearings conducted under this section shall

be governed by the same rules of evidence and procedure applicable to administrative proceedings conducted under the

laws of this state.

(d) Statements of charges, notice, orders and other processes of the commissioner under this article may be served by

anyone duly authorized to act on behalf of the commissioner. Service of process may be completed in the manner

provided by law for service of process in civil actions or by registered mail or by a mailing service offered by a third party

mailing service with tracking capability that is not more expensive than registered mail. A copy of the statement of

charges, notice, order or other process shall be provided to the person or persons whose rights under this article have

been allegedly violated. A verified return setting forth the manner of service, the return postcard receipt in the case of

registered mail, or signed receipt documentation, shall be sufficient proof of service.

CA Ins. §791.16. Service Of Process; Insurance-Support Organizations Transacting Business Outside State


For the purpose of this article, an insurance-support organization transacting business outside this state that has an

effect on a person residing in this state shall be deemed to have appointed the commissioner to accept service of process

on its behalf, provided the commissioner causes a copy of the service to be mailed immediately by registered mail, or by

a mailing service offered by a third party mailing service with tracking capability that is not more expensive than

registered mail, to the insurance-support organization at its last known principal place of business. The return postcard

receipt or signed receipt documentation for the mailing shall be sufficient proof that the same was properly mailed by the

commissioner.

CA Ins. §791.17. Findings; Cease And Desist Orders; Written Reports; Service Of Process; Modification Or

Setting Aside Of Orders Or Reports


(a) If, after a hearing pursuant to Section 791.15, the commissioner determines that the insurance institution, agent or

insurance-support organization charged has engaged in conduct or practices in violation of this article, the commissioner

shall reduce his or her findings to writing and shall issue and cause to be served upon such insurance institution, agent or



insurance-support organization a copy of such findings and an order requiring such insurance institution, agent or

insurance-support organization to cease and desist from the conduct or practices constituting a violation of this article.

(b) If, after a hearing pursuant to Section 791.15, the commissioner determines that the insurance institution, agent or

insurance-support organization charged has not engaged in conduct or practices in violation of this article, the

commissioner shall prepare a written report which sets forth findings of fact and conclusions of law. Such report shall be

served upon the insurance institution, agent or insurance-support organization charged and upon the person or persons,

if any, whose rights under this article were allegedly violated.

(c) Until the expiration of the time allowed under Section 791.18 for filing a petition for review or until such petition is

actually filed, whichever occurs first, the commissioner may modify or set aside any order or report issued under this

section. After the expiration of the time allowed under Section 791.18 for filing a petition for review, if no such petition

has been duly filed, the commissioner may, after notice and opportunity for hearing, alter, modify or set aside, in whole

or in part, any order or report issued under this section whenever conditions of fact or law warrant such action or if the

public interest so requires.

CA Ins. §791.18. Judicial Review; Finality Of Order Or Report


(a) Any person subject to an order of the commissioner under Section 779.17 or Section 791.20 or any person whose

rights under this article were allegedly violated may obtain a review of any order or report of the commissioner by filing

in a court of competent jurisdiction, within 30 days from the date of the service of such order or report, pursuant to

Section 1094.5 of the Code of Civil Procedure. The court shall have jurisdiction to make and enter a decree modifying,

affirming or reversing any order or report of the commissioner, in whole or in part.

(b) An order or report issued by the commissioner under Section 791.17 shall become final:

(1) Upon the expiration of the time allowed for the filing of a petition for review, if no such petition has been duly

filed; except that the commissioner may modify or set aside an order or report to the extent provided in

subdivision (c) of Section 791.17; or

(2) Upon a final decision of the court if the court directs that the order or report of the commissioner be affirmed or

the petition for review dismissed.

(c) No order or report of the commissioner under this article or order of a court to enforce the same shall in any way

relieve or absolve any person affected by such order or report from any liability under any law of this state.

CA Ins. §791.19. Violation Of Cease And Desist Order; Penalties


Any person who violates a cease and desist order of the commissioner under Section 791.17 may, after notice and

hearing and upon order of the commissioner, be subject to one or more of the following penalties, at the discretion of the

commissioner:

(a) A monetary fine of not more than ten thousand dollars ($10,000) for each violation; or

(b) A monetary fine of not more than fifty thousand dollars ($50,000) if the commissioner finds that violations have

occurred with such frequency as to constitute a general business practice; or

(c) Suspension or revocation of an insurance institution's or agent's license if the insurance institution or agent knew or

reasonably should have known it was in violation of this article.

CA Ins. §791.20. Equitable Relief; Damages; Costs; Attorney's Fees; Limitation Of Actions


(a) If any insurance institution, agent or insurance-support organization fails to comply with Section 791.08, 791.09 or

791.10 with respect to the rights granted under those sections, any person whose rights are violated may apply to any

court of competent jurisdiction, for appropriate equitable relief.

(b) An insurance institution, agent or insurance-support organization which discloses information in violation of Section

791.13 shall be liable for damages sustained by the individual about whom the information relates. However no

individual shall be entitled to a monetary award which exceeds the actual damages sustained by the individual as a result

of a violation of Section 791.13.

(c) In any action brought pursuant to this section, the court may award the cost of the action and reasonable attorney's

fees to the prevailing party.



(d) An action under this section shall be brought within two years from the date the alleged violation is or should have

been discovered.

(e) Except as specifically provided in this section, there shall be no remedy or recovery available to individuals, in law or

in equity, for occurrences constituting a violation of any provision of this act.

CA Ins. §791.21. Immunity From Defamation, Invasion Of Privacy Or Negligence Actions; Exception For

Malice Or Willful Intent


No cause of action in the nature of defamation, invasion of privacy or negligence shall arise against any person for

disclosing personal or privileged information in accordance with this chapter, nor shall such a cause of action arise

against any person for furnishing personal or privileged information to an insurance institution, agent or insurance-

support organization; provided, however, this section shall provide no immunity for disclosing or furnishing false

information with malice or willful intent to injure any person.

CA Ins. §791.22. Obtaining Information Under False Pretenses; Penalties


Any person who knowingly and willfully obtains information about an individual from an insurance institution, agent or

insurance-support organization under false pretenses shall be fined not more than ten thousand dollars ($10,000) or

imprisoned for not more than one year, or both.

CA Ins. §791.23. Effective Date Of Rights Under Sections 791.08, 791.09 And 791.13; Effect Upon

Section 770.1


The rights granted under Sections 791.08, 791.09 and 791.13 shall take effect on October 1, 1981, regardless of the

date of the collection or receipt of the information which is the subject of such sections. Nothing contained in subdivisions

(k) and (l) of Section 791.13, or in any other provision of this article, shall in any way affect the provisions of Section

770.1.

CIVIL CODE

DIVISION 1. PERSONS

PART 2.6. CONFIDENTIALITY OF MEDICAL INFORMATION

CHAPTER 1. DEFINITIONS

CA Civ. Code §56. Short Title


This part may be cited as the Confidentiality of Medical Information Act.



For purposes of this part:

(a) "Authorization" means permission granted in accordance with Section 56.11 or 56.21 for the disclosure of medical

information.

(b) "Authorized recipient" means any person who is authorized to receive medical information pursuant to Section 56.10

or 56.20.

(c) “Confidential communications request” means a request by a subscriber or enrollee that health care service plan

communications containing medical information be communicated to him or her at a specific mail or email address or

specific telephone number, as designated by the subscriber or enrollee.

(d) "Contractor" means any person or entity that is a medical group, independent practice association, pharmaceutical

benefits manager, or a medical service organization and is not a health care service plan or provider of health care.

"Contractor" does not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code



or pharmaceutical benefits managers licensed pursuant to the Knox-Keene Health Care Service Plan Act of 1975

(Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code).

(e) “Endanger” means that the subscriber or enrollee fears that disclosure of his or her medical information could subject

the subscriber or enrollee to harassment or abuse.

(f) “Enrollee” has the same meaning as that term is defined in Section 1345 of the Health and Safety Code.

(g) "Health care service plan" means any entity regulated pursuant to the Knox-Keene Health Care Service Plan Act of

1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code).

(h) "Licensed health care professional" means any person licensed or certified pursuant to Division 2 (commencing with

Section 500) of the Business and Professions Code, the Osteopathic Initiative Act or the Chiropractic Initiative Act, or

Division 2.5 (commencing with Section 1797) of the Health and Safety Code.

(i) "Marketing" means to make a communication about a product or service that encourages recipients of the

communication to purchase or use the product or service.

"Marketing" does not include any of the following:

(1) Communications made orally or in writing for which the communicator does not receive direct or indirect

remuneration, including, but not limited to, gifts, fees, payments, subsidies, or other economic benefits, from a third

party for making the communication.

(2) Communications made to current enrollees solely for the purpose of describing a provider's participation in an

existing health care provider network or health plan network of a Knox-Keene licensed health plan to which the

enrollees already subscribe; communications made to current enrollees solely for the purpose of describing if, and the

extent to which, a product or service, or payment for a product or service, is provided by a provider, contractor, or

plan or included in a plan of benefits of a Knox-Keene licensed health plan to which the enrollees already subscribe;

or communications made to plan enrollees describing the availability of more cost-effective pharmaceuticals.

(3) Communications that are tailored to the circumstances of a particular individual to educate or advise the

individual about treatment options, and otherwise maintain the individual's adherence to a prescribed course of

medical treatment, as provided in Section 1399.901 of the Health and Safety Code, for a chronic and seriously

debilitating or life-threatening condition as defined in subdivisions (d) and (e) of Section 1367.21 of the Health and

Safety Code, if the health care provider, contractor, or health plan receives direct or indirect remuneration, including,

but not limited to, gifts, fees, payments, subsidies, or other economic benefits, from a third party for making the

communication, if all of the following apply:

(A) The individual receiving the communication is notified in the communication in typeface no smaller than 14-

point type of the fact that the provider, contractor, or health plan has been remunerated and the source of the

remuneration.

(B) The individual is provided the opportunity to opt out of receiving future remunerated communications.

(C) The communication contains instructions in typeface no smaller than 14-point type describing how the

individual can opt out of receiving further communications by calling a toll-free number of the health care

provider, contractor, or health plan making the remunerated communications. No further communication may be

made to an individual who has opted out after 30 calendar days from the date the individual makes the opt out

request.

(j) "Medical information" means any individually identifiable information, in electronic or physical form, in possession of

or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a

patient's medical history, mental or physical condition, or treatment. "Individually identifiable" means that the medical

information includes or contains any element of personal identifying information sufficient to allow identification of the

individual, such as the patient's name, address, electronic mail address, telephone number, or social security number, or

other information that, alone or in combination with other publicly available information, reveals the individual's identity.

(k) "Patient" means any natural person, whether or not still living, who received health care services from a provider of

health care and to whom medical information pertains.

(l) "Pharmaceutical company" means any company or business, or an agent or representative thereof, that

manufactures, sells, or distributes pharmaceuticals, medications, or prescription drugs. "Pharmaceutical company" does

not include a pharmaceutical benefits manager, as included in subdivision (c), or a provider of health care.

(m) "Provider of health care" means any person licensed or certified pursuant to Division 2 (commencing with Section

500) of the Business and Professions Code; any person licensed pursuant to the Osteopathic Initiative Act or the

Chiropractic Initiative Act; any person certified pursuant to Division 2.5 (commencing with Section 1797) of the Health

and Safety Code; any clinic, health dispensary, or health facility licensed pursuant to Division 2 (commencing with



Section 1200) of the Health and Safety Code. "Provider of health care" does not include insurance institutions as defined

in subdivision (k) of Section 791.02 of the Insurance Code.

(n) “Sensitive services” means all health care services described in Sections 6924, 6925, 6926, 6927, 6928, and 6929 of

the Family Code, and Sections 121020 and 124260 of the Health and Safety Code, obtained by a patient at or above the

minimum age specified for consenting to the service specified in the section.

(o) “Subscriber” has the same meaning as that term is defined in Section 1345 of the Health and Safety Code.

CA Civ. Code §56.06. Business Organized For The Purpose Of Maintaining Medical Information In Order To

Supply Information To Individual Or Health Care Provider For Specified Purposes; Business Offering

Hardware Or Software Designed To Make Medical Information Available To Individuals Or Health Care

Providers; Confidentiality; Penalties


(a) Any business organized for the purpose of maintaining medical information, as defined in subdivision (g) of Section

56.05, in order to make the information available to an individual or to a provider of health care at the request of the

individual or a provider of health care, for purposes of allowing the individual to manage his or her information, or for the

diagnosis and treatment of the individual, shall be deemed to be a provider of health care subject to the requirements of

this part. However, this section shall not be construed to make a business specified in this subdivision a provider of

health care for purposes of any law other than this part, including laws that specifically incorporate by reference the

definitions of this part.

(b) Any business that offers software or hardware to consumers, including a mobile application or other related device

that is designed to maintain medical information, as defined in subdivision (j) of Section 56.05, in order to make the

information available to an individual or a provider of health care at the request of the individual or a provider of health

care, for purposes of allowing the individual to manage his or her information, or for the diagnosis, treatment, or

management of a medical condition of the individual, shall be deemed to be a provider of health care subject to the

requirements of this part. However, this section shall not be construed to make a business specified in this subdivision a

provider of health care for purposes of any law other than this part, including laws that specifically incorporate by

reference the definitions of this part.

(c) Any business described in subdivision (a) or (b)shall maintain the same standards of confidentiality required of a

provider of health care with respect to medical information disclosed to the business.

(d) Any business described in subdivision (a) or (b) is subject to the penalties for improper use and disclosure of medical

information prescribed in this part.

CA Civ. Code §56.07. Medical Profile, Summary, Or Information Provided; Patient's Written Request;

Application

[Enacted by Laws 2000, Ch. 1066 (S.B. 1903), §1.]

(a) Except as provided in subdivision (c), upon the patient's written request, any corporation described in Section 56.06,

or any other entity that compiles or maintains medical information for any reason, shall provide the patient, at no

charge, with a copy of any medical profile, summary, or information maintained by the corporation or entity with respect

to the patient.

(b) A request by a patient pursuant to this section shall not be deemed to be an authorization by the patient for the

release or disclosure of any information to any person or entity other than the patient.

(c) This section shall not apply to any patient records that are subject to inspection by the patient pursuant to Section

123110 of the Health and Safety Code and shall not be deemed to limit the right of a health care provider to charge a fee

for the preparation of a summary of patient records as provided in Section 123130 of the Health and Safety Code. This

section shall not apply to a health care service plan licensed pursuant to Chapter 2.2 (commencing with Section 1340) of

Division 2 of the Health and Safety Code or a disability insurer licensed pursuant to the Insurance Code. This section

shall not apply to medical information compiled or maintained by a fire and casualty insurer or its retained counsel in the

regular course of investigating or litigating a claim under a policy of insurance that it has written. For the purposes of this

section, a fire and casualty insurer is an insurer writing policies that may be sold by a fire and casualty licensee pursuant

to Section 1625 of the Insurance Code.

CHAPTER 2. DISCLOSURE OF MEDICAL INFORMATION BY PROVIDERS

CA Civ. Code §56.10. Authorization; Compelled Disclosure; Other Permitted Disclosures




(a) A provider of health care, health care service plan, or contractor shall not disclose medical information regarding a

patient of the provider of health care or an enrollee or subscriber of a health care service plan without first obtaining an

authorization, except as provided in subdivision (b) or (c).

(b) A provider of health care, a health care service plan, or a contractor shall disclose medical information if the

disclosure is compelled by any of the following:

(1) By a court pursuant to an order of that court.

(2) By a board, commission, or administrative agency for purposes of adjudication pursuant to its lawful authority.

(3) By a party to a proceeding before a court or administrative agency pursuant to a subpoena, subpoena duces

tecum, notice to appear served pursuant to Section 1987 of the Code of Civil Procedure, or any provision authorizing

discovery in a proceeding before a court or administrative agency.

(4) By a board, commission, or administrative agency pursuant to an investigative subpoena issued under Article 2

(commencing with Section 11180) of Chapter 2 of Part 1 of Division 3 of Title 2 of the Government Code.

(5) By an arbitrator or arbitration panel, when arbitration is lawfully requested by either party, pursuant to a

subpoena duces tecum issued under Section 1282.6 of the Code of Civil Procedure, or another provision authorizing

discovery in a proceeding before an arbitrator or arbitration panel.

(6) By a search warrant lawfully issued to a governmental law enforcement agency.

(7) By the patient or the patient's representative pursuant to Chapter 1 (commencing with Section 123100) of Part 1

of Division 106 of the Health and Safety Code.

(8) By a medical examiner, forensic pathologist, or coroner, when requested in the course of an investigation by a

medical examiner, forensic pathologist, or coroner's office for the purpose of identifying the decedent or locating next

of kin, or when investigating deaths that may involve public health concerns, organ or tissue donation, child abuse,

elder abuse, suicides, poisonings, accidents, sudden infant deaths, suspicious deaths, unknown deaths, or criminal

deaths, or upon notification of, or investigation of, imminent deaths that may involve organ or tissue donation

pursuant to Section 7151.15 of the Health and Safety Code, or when otherwise authorized by the decedent's

representative. Medical information requested by a medical examiner, forensic pathologist, or coroner under this

paragraph shall be limited to information regarding the patient who is the decedent and who is the subject of the

investigation or who is the prospective donor and shall be disclosed to a medical examiner, forensic pathologist, or

coroner without delay upon request. A medical examiner, forensic pathologist, or coroner shall not disclose the

information contained in the medical record obtained pursuant to this paragraph to a third party without a court order

or authorization pursuant to paragraph (4) of subdivision (c) of Section 56.11.

(9) When otherwise specifically required by law.

(c) A provider of health care or a health care service plan may disclose medical information as follows:

(1) The information may be disclosed to providers of health care, health care service plans, contractors, or other

health care professionals or facilities for purposes of diagnosis or treatment of the patient. This includes, in an

emergency situation, the communication of patient information by radio transmission or other means between

emergency medical personnel at the scene of an emergency, or in an emergency medical transport vehicle, and

emergency medical personnel at a health facility licensed pursuant to Chapter 2 (commencing with Section 1250) of

Division 2 of the Health and Safety Code.

(2) The information may be disclosed to an insurer, employer, health care service plan, hospital service plan,

employee benefit plan, governmental authority, contractor, or other person or entity responsible for paying for health

care services rendered to the patient, to the extent necessary to allow responsibility for payment to be determined

and payment to be made. If (A) the patient is, by reason of a comatose or other disabling medical condition, unable

to consent to the disclosure of medical information and (B) no other arrangements have been made to pay for the

health care services being rendered to the patient, the information may be disclosed to a governmental authority to

the extent necessary to determine the patient's eligibility for, and to obtain, payment under a governmental program

for health care services provided to the patient. The information may also be disclosed to another provider of health

care or health care service plan as necessary to assist the other provider or health care service plan in obtaining

payment for health care services rendered by that provider of health care or health care service plan to the patient.

(3) The information may be disclosed to a person or entity that provides billing, claims management, medical data

processing, or other administrative services for providers of health care or health care service plans or for any of the

persons or entities specified in paragraph (2). However, information so disclosed shall not be further disclosed by the

recipient in a way that would violate this part.

(4) The information may be disclosed to organized committees and agents of professional societies or of medical

staffs of licensed hospitals, licensed health care service plans, professional standards review organizations,



independent medical review organizations and their selected reviewers, utilization and quality control peer review

organizations as established by Congress in Public Law 97-248 in 1982, contractors, or persons or organizations

insuring, responsible for, or defending professional liability that a provider may incur, if the committees, agents,

health care service plans, organizations, reviewers, contractors, or persons are engaged in reviewing the competence

or qualifications of health care professionals or in reviewing health care services with respect to medical necessity,

level of care, quality of care, or justification of charges.

(5) The information in the possession of a provider of health care or a health care service plan may be reviewed by a

private or public body responsible for licensing or accrediting the provider of health care or a health care service plan.

However, no patient-identifying medical information may be removed from the premises except as expressly

permitted or required elsewhere by law, nor shall that information be further disclosed by the recipient in a way that

would violate this part.

(6) The information may be disclosed to a medical examiner, forensic pathologist, or county coroner in the course of

an investigation by a medical examiner, forensic pathologist, or coroner's office when requested for all purposes not

included in paragraph (8) of subdivision (b). A medical examiner, forensic pathologist, or coroner shall not disclose

the information contained in the medical record obtained pursuant to this paragraph to a third party without a court

order or authorization pursuant to paragraph (4) of subdivision (c) of Section 56.11.

(7) The information may be disclosed to public agencies, clinical investigators, including investigators conducting

epidemiologic studies, health care research organizations, and accredited public or private nonprofit educational or

health care institutions for bona fide research purposes. However, no information so disclosed shall be further

disclosed by the recipient in a way that would disclose the identity of a patient or violate this part.

(8) A provider of health care or health care service plan that has created medical information as a result of

employment-related health care services to an employee conducted at the specific prior written request and expense

of the employer may disclose to the employee's employer that part of the information that:

(A) Is relevant in a lawsuit, arbitration, grievance, or other claim or challenge to which the employer and the

employee are parties and in which the patient has placed in issue his or her medical history, mental or physical

condition, or treatment, provided that information may only be used or disclosed in connection with that

proceeding.

(B) Describes functional limitations of the patient that may entitle the patient to leave from work for medical

reasons or limit the patient's fitness to perform his or her present employment, provided that no statement of

medical cause is included in the information disclosed.

(9) Unless the provider of health care or a health care service plan is notified in writing of an agreement by the

sponsor, insurer, or administrator to the contrary, the information may be disclosed to a sponsor, insurer, or

administrator of a group or individual insured or uninsured plan or policy that the patient seeks coverage by or

benefits from, if the information was created by the provider of health care or health care service plan as the result of

services conducted at the specific prior written request and expense of the sponsor, insurer, or administrator for the

purpose of evaluating the application for coverage or benefits.

(10) The information may be disclosed to a health care service plan by providers of health care that contract with the

health care service plan and may be transferred among providers of health care that contract with the health care

service plan, for the purpose of administering the health care service plan. Medical information shall not otherwise be

disclosed by a health care service plan except in accordance with this part.

(11) This part does not prevent the disclosure by a provider of health care or a health care service plan to an

insurance institution, agent, or support organization, subject to Article 6.6 (commencing with Section 791) of

Chapter 1 of Part 2 of Division 1 of the Insurance Code, of medical information if the insurance institution, agent, or

support organization has complied with all of the requirements for obtaining the information pursuant to Article 6.6

(commencing with Section 791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code.

(12) The information relevant to the patient's condition, care, and treatment provided may be disclosed to a probate

court investigator in the course of an investigation required or authorized in a conservatorship proceeding under the

Guardianship-Conservatorship Law as defined in Section 1400 of the Probate Code, or to a probate court investigator,

probation officer, or domestic relations investigator engaged in determining the need for an initial guardianship or

continuation of an existing guardianship.

(13) The information may be disclosed to an organ procurement organization or a tissue bank processing the tissue of

a decedent for transplantation into the body of another person, but only with respect to the donating decedent, for

the purpose of aiding the transplant. For the purpose of this paragraph, "tissue bank" and "tissue" have the same

meanings as defined in Section 1635 of the Health and Safety Code.



(14) The information may be disclosed when the disclosure is otherwise specifically authorized by law, including, but

not limited to, the voluntary reporting, either directly or indirectly, to the federal Food and Drug Administration of

adverse events related to drug products or medical device problems, or to disclosures made pursuant to subdivisions

(b) and (c) of Section 11167 of the Penal Code by a person making a report pursuant to Sections 11165.9 and 11166

of the Penal Code, provided that those disclosures concern a report made by that person.

(15) Basic information, including the patient's name, city of residence, age, sex, and general condition, may be

disclosed to a state-recognized or federally recognized disaster relief organization for the purpose of responding to

disaster welfare inquiries.

(16) The information may be disclosed to a third party for purposes of encoding, encrypting, or otherwise

anonymizing data. However, no information so disclosed shall be further disclosed by the recipient in a way that

would violate this part, including the unauthorized manipulation of coded or encrypted medical information that

reveals individually identifiable medical information.

(17) For purposes of disease management programs and services as defined in Section 1399.901 of the Health and

Safety Code, information may be disclosed as follows: (A) to an entity contracting with a health care service plan or

the health care service plan's contractors to monitor or administer care of enrollees for a covered benefit, if the

disease management services and care are authorized by a treating physician, or (B) to a disease management

organization, as defined in Section 1399.900 of the Health and Safety Code, that complies fully with the physician

authorization requirements of Section 1399.902 of the Health and Safety Code, if the health care service plan or its

contractor provides or has provided a description of the disease management services to a treating physician or to

the health care service plan's or contractor's network of physicians. This paragraph does not require physician

authorization for the care or treatment of the adherents of a well-recognized church or religious denomination who

depend solely upon prayer or spiritual means for healing in the practice of the religion of that church or

denomination.

* * *

(d) Except to the extent expressly authorized by a patient, enrollee, or subscriber, or as provided by subdivisions (b)

and (c), a provider of health care, health care service plan, contractor, or corporation and its subsidiaries and affiliates

shall not intentionally share, sell, use for marketing, or otherwise use medical information for a purpose not necessary to

provide health care services to the patient.

(e) Except to the extent expressly authorized by a patient or enrollee or subscriber or as provided by subdivisions (b)

and (c), a contractor or corporation and its subsidiaries and affiliates shall not further disclose medical information

regarding a patient of the provider of health care or an enrollee or subscriber of a health care service plan or insurer or

self-insured employer received under this section to a person or entity that is not engaged in providing direct health care

services to the patient or his or her provider of health care or health care service plan or insurer or self-insured

employer.

* * *

CA Civ. Code §56.104. Patient's Participation In Outpatient Treatment With Psychotherapist; Request For

Information; Application Of Section


(a) Notwithstanding subdivision (c) of Section 56.10, except as provided in subdivision (e), no provider of health care,

health care service plan, or contractor may release medical information to persons or entities who have requested that

information and who are authorized by law to receive that information pursuant to subdivision (c) of Section 56.10, if the

requested information specifically relates to the patient's participation in outpatient treatment with a psychotherapist,

unless the person or entity requesting that information submits to the patient pursuant to subdivision (b) and to the

provider of health care, health care service plan, or contractor a written request, signed by the person requesting the

information or an authorized agent of the entity requesting the information, that includes all of the following:

(1) The specific information relating to a patient's participation in outpatient treatment with a psychotherapist being

requested and its specific intended use or uses.

(2) The length of time during which the information will be kept before being destroyed or disposed of. A person or

entity may extend that timeframe, provided that the person or entity notifies the provider, plan, or contractor of the

extension. Any notification of an extension shall include the specific reason for the extension, the intended use or

uses of the information during the extended time, and the expected date of the destruction of the information.

(3) A statement that the information will not be used for any purpose other than its intended use.



(4) A statement that the person or entity requesting the information will destroy the information and all copies in the

person's or entity's possession or control, will cause it to be destroyed, or will return the information and all copies of

it before or immediately after the length of time specified in paragraph (2) has expired.

(b) The person or entity requesting the information shall submit a copy of the written request required by this section to

the patient within 30 days of receipt of the information requested, unless the patient has signed a written waiver in the

form of a letter signed and submitted by the patient to the provider of health care or health care service plan waiving

notification.

(c) For purposes of this section, "psychotherapist" means a person who is both a "psychotherapist" as defined in Section

1010 of the Evidence Code and a "provider of health care" as defined in Section 56.05.

(d) This section does not apply to the disclosure or use of medical information by a law enforcement agency or a

regulatory agency when required for an investigation of unlawful activity or for licensing, certification, or regulatory

purposes, unless the disclosure is otherwise prohibited by law.

(e) This section shall not apply to any of the following:

(1) Information authorized to be disclosed pursuant to paragraph (1) of subdivision (c) of Section 56.10.

(2) Information requested from a psychotherapist by law enforcement or by the target of the threat subsequent to a

disclosure by that psychotherapist authorized by paragraph (19) of subdivision (c) of Section 56.10, in which the

additional information is clearly necessary to prevent the serious and imminent threat disclosed under that

paragraph.

(3) Information disclosed by a psychotherapist pursuant to paragraphs (14) and (22) of subdivision (c) of Section

56.10 and requested by an agency investigating the abuse reported pursuant to those paragraphs.

(f) Nothing in this section shall be construed to grant any additional authority to a provider of health care, health care

service plan, or contractor to disclose information to a person or entity without the patient's consent.

CA Civ. Code §56.11. Authorization; Form And Contents


Any person or entity that wishes to obtain medical information pursuant to subdivision (a) of Section 56.10, other than a

person or entity authorized to receive medical information pursuant to subdivision (b) or (c) of Section 56.10, except as

provided in paragraph (21) of subdivision (c) of Section 56.10, shall obtain a valid authorization for the release of this

information.

An authorization for the release of medical information by a provider of health care, health care service plan,

pharmaceutical company, or contractor shall be valid if it:

(a) Is handwritten by the person who signs it or is in a typeface no smaller than 14-point type.

(b) Is clearly separate from any other language present on the same page and is executed by a signature which serves

no other purpose than to execute the authorization.

(c) Is signed and dated by one of the following:

(1) The patient. A patient who is a minor may only sign an authorization for the release of medical information

obtained by a provider of health care, health care service plan, pharmaceutical company, or contractor in the course

of furnishing services to which the minor could lawfully have consented under Part 1 (commencing with Section 25)

or Part 2.7 (commencing with Section 60).

(2) The legal representative of the patient, if the patient is a minor or an incompetent. However, authorization may

not be given under this subdivision for the disclosure of medical information obtained by the provider of health care,

health care service plan, pharmaceutical company, or contractor in the course of furnishing services to which a minor

patient could lawfully have consented under Part 1 (commencing with Section 25) or Part 2.7 (commencing with

Section 60).

(3) The spouse of the patient or the person financially responsible for the patient, where the medical information is

being sought for the sole purpose of processing an application for health insurance or for enrollment in a nonprofit

hospital plan, a health care service plan, or an employee benefit plan, and where the patient is to be an enrolled

spouse or dependent under the policy or plan.

(4) The beneficiary or personal representative of a deceased patient.

(d) States the specific uses and limitations on the types of medical information to be disclosed.



(e) States the name or functions of the provider of health care, health care service plan, pharmaceutical company, or

contractor that may disclose the medical information.

(f) States the name or functions of the persons or entities authorized to receive the medical information.

(g) States the specific uses and limitations on the use of the medical information by the persons or entities authorized to

receive the medical information.

(h) States a specific date after which the provider of health care, health care service plan, pharmaceutical company, or

contractor is no longer authorized to disclose the medical information.

(i) Advises the person signing the authorization of the right to receive a copy of the authorization.

CA Civ. Code §56.13. Further Disclosure By Recipient Of Medical Information


A recipient of medical information pursuant to an authorization as provided by this chapter or pursuant to the provisions

of subdivision (c) of Section 56.10 may not further disclose that medical information except in accordance with a new

authorization that meets the requirements of Section 56.11, or as specifically required or permitted by other provisions

of this chapter or by law.

CA Civ. Code §56.14. Communication Of Limitations Of Authorization To Recipient Of Medical Information


A provider of health care, health care service plan, or contractor that discloses medical information pursuant to the

authorizations required by this chapter shall communicate to the person or entity to which it discloses the medical

information any limitations in the authorization regarding the use of the medical information. No provider of health care,

health care service plan, or contractor that has attempted in good faith to comply with this provision shall be liable for

any unauthorized use of the medical information by the person or entity to which the provider, plan, or contractor

disclosed the medical information.

CHAPTER 5. USE AND DISCLOSURE OF MEDICAL AND OTHER INFORMATION BY THIRD PARTY ADMINISTRATORS AND OTHERS

CA Civ. Code §56.265. Annuity Contracts; Disclosure Of Individually Identifiable Information Concerning

Health, Medical Or Genetic History; Prohibition

[Enacted by Laws 2000, Ch. 278 (A.B. 2797), §2.]

A person or entity that underwrites or sells annuity contracts or contracts insuring, guaranteeing, or indemnifying against

loss, harm, damage, illness, disability, or death, and any affiliate of that person or entity, shall not disclose individually

identifiable information concerning the health of, or the medical or genetic history of, a customer, to any affiliated or

nonaffiliated depository institution, or to any other affiliated or nonaffiliated third party for use with regard to the

granting of credit.

CHAPTER 6. RELATIONSHIP TO EXISTING LAW

CA Civ. Code §56.27. Employer That Is Insurance Institution, Agent Or Support Organization; Disclosure Not

In Violation Of §56.20


An employer that is an insurance institution, insurance agent, or insurance support organization subject to the Insurance

Information and Privacy Protection Act, Article 6.6 (commencing with Section 791) of Part 2 of Division 1 of the

Insurance Code, shall not be deemed to have violated Section 56.20 by disclosing medical information gathered in

connection with an insurance transaction in accordance with that act.

CHAPTER 7. VIOLATIONS

CA Civ. Code §56.35. Compensatory And Punitive Damages; Attorneys' Fees And Costs


In addition to any other remedies available at law, a patient whose medical information has been used or disclosed in

violation of Section 56.10 or 56.104 or 56.20 or subdivision (a) of Section 56.26 and who has sustained economic loss or



personal injury therefrom may recover compensatory damages, punitive damages not to exceed three thousand dollars

($3,000), attorneys' fees not to exceed one thousand dollars ($1,000), and the costs of litigation.

CA Civ. Code §56.36. Misdemeanors; Violations; Remedies


(a) A violation of the provisions of this part that results in economic loss or personal injury to a patient is punishable as a

misdemeanor.

(b) In addition to any other remedies available at law, an individual may bring an action against a person or entity who

has negligently released confidential information or records concerning him or her in violation of this part, for either or

both of the following:

(1) Except as provided in subdivision (e), nominal damages of one thousand dollars ($1,000). In order to recover

under this paragraph, it is not necessary that the plaintiff suffered or was threatened with actual damages.

(2) The amount of actual damages, if any, sustained by the patient.

(c)(1) In addition, a person or entity that negligently discloses medical information in violation of the provisions of this

part shall also be liable, irrespective of the amount of damages suffered by the patient as a result of that violation, for an

administrative fine or civil penalty not to exceed two thousand five hundred dollars ($2,500) per violation.

(2)(A) A person or entity, other than a licensed health care professional, who knowingly and willfully obtains,

discloses, or uses medical information in violation of this part shall be liable for an administrative fine or civil penalty

not to exceed twenty-five thousand dollars ($25,000) per violation.

(B) A licensed health care professional, who knowingly and willfully obtains, discloses, or uses medical information

in violation of this part shall be liable on a first violation, for an administrative fine or civil penalty not to exceed

two thousand five hundred dollars ($2,500) per violation, on a second violation for an administrative fine or civil

penalty not to exceed ten thousand dollars ($10,000) per violation, or on a third and subsequent violation for an

administrative fine or civil penalty not to exceed twenty-five thousand dollars ($25,000) per violation. This

subdivision shall not be construed to limit the liability of a health care service plan, a contractor, or a provider of

health care that is not a licensed health care professional for a violation of this part.

(3)(A) A person or entity, other than a licensed health care professional, who knowingly or willfully obtains or uses

medical information in violation of this part for the purpose of financial gain shall be liable for an administrative fine

or civil penalty not to exceed two hundred fifty thousand dollars ($250,000) per violation and shall also be subject to

disgorgement of any proceeds or other consideration obtained as a result of the violation.

(B) A licensed health care professional, who knowingly and willfully obtains, discloses, or uses medical information

in violation of this part for financial gain shall be liable on a first violation, for an administrative fine or civil

penalty not to exceed five thousand dollars ($5,000) per violation, on a second violation for an administrative fine

or civil penalty not to exceed twenty-five thousand dollars ($25,000) per violation, or on a third and subsequent

violation for an administrative fine or civil penalty not to exceed two hundred fifty thousand dollars ($250,000)

per violation and shall also be subject to disgorgement of any proceeds or other consideration obtained as a result

of the violation. This subdivision shall not be construed to limit the liability of a health care service plan, a

contractor, or a provider of health care that is not a licensed health care professional for any violation of this part.

(4) This subdivision shall not be construed as authorizing an administrative fine or civil penalty under both

paragraphs (2) and (3) for the same violation.

(5) Any person or entity who is not permitted to receive medical information pursuant to this part and who knowingly

and willfully obtains, discloses, or uses medical information without written authorization from the patient shall be

liable for a civil penalty not to exceed two hundred fifty thousand dollars ($250,000) per violation.

(d) In assessing the amount of an administrative fine or civil penalty pursuant to subdivision (c), the State Department

of Public Health, licensing agency, or certifying board or court shall consider any of the relevant circumstances presented

by any of the parties to the case including, but not limited to, the following:

(1) Whether the defendant has made a reasonable, good faith attempt to comply with this part.

(2) The nature and seriousness of the misconduct.

(3) The harm to the patient, enrollee, or subscriber.

(4) The number of violations.

(5) The persistence of the misconduct.



(6) The length of time over which the misconduct occurred.

(7) The willfulness of the defendant's misconduct.

(8) The defendant's assets, liabilities, and net worth.

(e)(1) In an action brought by an individual pursuant to subdivision (b) on or after January 1, 2013, in which the

defendant establishes the affirmative defense in paragraph (2), the court shall award any actual damages and reasonable

attorney's fees and costs, but shall not award nominal damages for a violation of this part.

(2) The defendant is entitled to an affirmative defense if all of the following are established, subject to the equitable

considerations in paragraph (3):

(A) The defendant is a covered entity or business associate, as defined in Section 160.103 of Title 45 of the Code

of Federal Regulations, in effect as of January 1, 2012.

(B) The defendant has complied with any obligations to notify all persons entitled to receive notice regarding the

release of the information or records.

(C) The release of confidential information or records was solely to another covered entity or business associate.

(D) The release of confidential information or records was not an incident of medical identity theft. For purposes

of this subparagraph, “medical identity theft” means the use of an individual's personal information, as defined in

Section 1798.80, without the individual's knowledge or consent, to obtain medical goods or services, or to submit

false claims for medical services.

(E) The defendant took appropriate preventive actions to protect the confidential information or records against

release consistent with the defendant's obligations under this part or other applicable state law and the Health

Insurance Portability and Accountability Act of 1996 (Public Law 104-191) (HIPAA) and all HIPAA Administrative

Simplification Regulations in effect on January 1, 2012, contained in Parts 160, 162, and 164 of Title 45 of the

Code of Federal Regulations and Part 2 of Title 42 of the Code of Federal Regulations, including, but not limited to,

all of the following:

(i) Developing and implementing security policies and procedures.

(ii) Designating a security official who is responsible for developing and implementing its security policies and

procedures, including educating and training the workforce.

(iii) Encrypting the information or records, and protecting against the release or use of the encryption key and

passwords, or transmitting the information or records in a manner designed to provide equal or greater

protections against improper disclosures.

(F) The defendant took reasonable and appropriate corrective action after the release of the confidential

information or records, and the covered entity or business associate that received the confidential information or

records destroyed or returned the confidential information or records in the most expedient time possible and

without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and

restore the reasonable integrity of the data system. A court may consider this subparagraph to be established if

the defendant shows in detail that the covered entity or business associate could not destroy or return the

confidential information or records because of the technology utilized.

(G) The covered entity or business associate that received the confidential information or records, or any of its

agents, independent contractors, or employees, regardless of the scope of the employee's employment, did not

retain, use, or release the information or records.

(H) After the release of the confidential information or records, the defendant took reasonable and appropriate

action to prevent a future similar release of confidential information or records.

(I) The defendant has not previously established an affirmative defense pursuant to this subdivision, or the court

determines, in its discretion, that application of the affirmative defense is compelling and consistent with the

purposes of this section to promote reasonable conduct in light of all the facts.

(3)(A) In determining whether the affirmative defense may be established pursuant to paragraph (2), the court shall

consider the equity of the situation, including, but not limited to, (i) whether the defendant has previously violated

this part, regardless of whether an action has previously been brought, and (ii) the nature of the prior violation.

(B) To the extent the court allows discovery to determine whether there has been any other violation of this part

that the court will consider in balancing the equities, the defendant shall not provide any medical information, as

defined in Section 56.05. The court, in its discretion, may enter a protective order prohibiting the further use of

any personal information, as defined in Section 1798.80, about the individual whose medical information may

have been disclosed in a prior violation.



(4) In an action under this subdivision in which the defendant establishes the affirmative defense pursuant to

paragraph (2), a plaintiff shall be entitled to recover reasonable attorney's fees and costs without regard to an award

of actual or nominal damages or the imposition of administrative fines or civil penalties.

(5) In an action brought by an individual pursuant to subdivision (b) on or after January 1, 2013, in which the

defendant establishes the affirmative defense pursuant to paragraph (2), a defendant shall not be liable for more

than one judgment on the merits under this subdivision for releases of confidential information or records arising out

of the same event, transaction, or occurrence.

(f) (1)The civil penalty pursuant to subdivision (c) shall be assessed and recovered in a civil action brought in the name

of the people of the State of California in any court of competent jurisdiction by any of the following:

(A) The Attorney General.

(B) A district attorney.

(C) A county counsel authorized by agreement with the district attorney in actions involving violation of a county

ordinance.

(D) A city attorney of a city.

(E) A city attorney of a city and county having a population in excess of 750,000, with the consent of the district

attorney.

(F) A city prosecutor in a city having a full-time city prosecutor or, with the consent of the district attorney, by a

city attorney in a city and county.

(G) The State Public Health Officer, or his or her designee, may recommend that a person described in

subparagraphs (A) to (F), inclusive, bring a civil action under this section.

(2) If the action is brought by the Attorney General, one-half of the penalty collected shall be paid to the treasurer of

the county in which the judgment was entered, and one-half to the General Fund. If the action is brought by a district

attorney or county counsel, the penalty collected shall be paid to the treasurer of the county in which the judgment

was entered. Except as provided in paragraph (3), if the action is brought by a city attorney or city prosecutor, one-

half of the penalty collected shall be paid to the treasurer of the city in which the judgment was entered and one-half

to the treasurer of the county in which the judgment was entered.

(3) If the action is brought by a city attorney of a city and county, the entire amount of the penalty collected shall be

paid to the treasurer of the city and county in which the judgment was entered.

(4) This section shall not be construed as authorizing both an administrative fine and civil penalty for the same

violation.

(5) Imposition of a fine or penalty provided for in this section shall not preclude imposition of other sanctions or

remedies authorized by law.

(6) Administrative fines or penalties issued pursuant to Section 1280.15 of the Health and Safety Code shall offset

any other administrative fine or civil penalty imposed under this section for the same violation.

(g) For purposes of this section, "knowing" and "willful" shall have the same meanings as in Section 7 of the Penal Code.

(h) A person who discloses protected medical information in accordance with the provisions of this part is not subject to

the penalty provisions of this part.

FINANCIAL CODE

DIVISION 1.4. CALIFORNIA FINANCIAL INFORMATION PRIVACY ACT

CA Fin. Code §4050. Short Title


This division shall be known and may be cited as the California Financial Information Privacy Act.

CA Fin. Code §4051. Legislative Intent


(a) The Legislature intends for financial institutions to provide their consumers notice and meaningful choice about how

consumers' nonpublic personal information is shared or sold by their financial institutions.



(b) It is the intent of the Legislature in enacting the California Financial Information Privacy Act to afford persons greater

privacy protections than those provided in Public Law 106-102, the federal Gramm-Leach-Bliley Act, and that this division

be interpreted to be consistent with that purpose.

CA Fin. Code §4051.5. Legislative Findings And Declarations


(a) The Legislature finds and declares all of the following:

(1) The California Constitution protects the privacy of California citizens from unwarranted intrusions into their private

and personal lives.

(2) Federal banking legislation, known as the Gramm-Leach-Bliley Act, which breaks down restrictions on affiliation

among different types of financial institutions, increases the likelihood that the personal financial information of

California residents will be widely shared among, between, and within companies.

(3) The policies intended to protect financial privacy imposed by the Gramm-Leach-Bliley Act are inadequate to meet

the privacy concerns of California residents.

(4) Because of the limitations of these federal policies, the Gramm-Leach-Bliley Act explicitly permits states to enact

privacy protections that are stronger than those provided in federal law.

(b) It is the intent of the Legislature in enacting this division:

(1) To ensure that Californians have the ability to control the disclosure of what the Gramm-Leach-Bliley Act calls

nonpublic personal information.

(2) To achieve that control for California consumers by requiring that financial institutions that want to share

information with third parties and unrelated companies seek and acquire the affirmative consent of California

consumers prior to sharing the information.

(3) To further achieve that control for California consumers by providing consumers with the ability to prevent the

sharing of financial information among affiliated companies through a simple opt-out mechanism via a clear and

understandable notice provided to the consumer.

(4) To provide, to the maximum extent possible, consistent with the purposes cited above, a level playing field

among types and sizes of businesses consistent with the objective of providing consumers control over their

nonpublic personal information, including providing that those financial institutions with limited affiliate relationships

may enter into agreements with other financial institutions as provided in this division, and providing that the

different business models of differing financial institutions are treated in ways that provide consistent consumer

control over information-sharing practices.

(5) To adopt to the maximum extent feasible, consistent with the purposes cited above, definitions consistent with

federal law, so that in particular there is no change in the ability of businesses to carry out normal processes of

commerce for transactions voluntarily entered into by consumers.

CA Fin. Code §4052. Definitions


For the purposes of this division:

(a) "Nonpublic personal information" means personally identifiable financial information (1) provided by a consumer to a

financial institution, (2) resulting from any transaction with the consumer or any service performed for the consumer, or

(3) otherwise obtained by the financial institution. Nonpublic personal information does not include publicly available

information that the financial institution has a reasonable basis to believe is lawfully made available to the general public

from (1) federal, state, or local government records, (2) widely distributed media, or (3) disclosures to the general public

that are required to be made by federal, state, or local law. Nonpublic personal information shall include any list,

description, or other grouping of consumers, and publicly available information pertaining to them, that is derived using

any nonpublic personal information other than publicly available information, but shall not include any list, description, or

other grouping of consumers, and publicly available information pertaining to them, that is derived without using any

nonpublic personal information.

(b) "Personally identifiable financial information" means information (1) that a consumer provides to a financial

institution to obtain a product or service from the financial institution, (2) about a consumer resulting from any

transaction involving a product or service between the financial institution and a consumer, or (3) that the financial

institution otherwise obtains about a consumer in connection with providing a product or service to that consumer. Any



personally identifiable information is financial if it was obtained by a financial institution in connection with providing a

financial product or service to a consumer. Personally identifiable financial information includes all of the following:

(1) Information a consumer provides to a financial institution on an application to obtain a loan, credit card, or other

financial product or service.

(2) Account balance information, payment history, overdraft history, and credit or debit card purchase information.

(3) The fact that an individual is or has been a consumer of a financial institution or has obtained a financial product

or service from a financial institution.

(4) Any information about a financial institution's consumer if it is disclosed in a manner that indicates that the

individual is or has been the financial institution's consumer.

(5) Any information that a consumer provides to a financial institution or that a financial institution or its agent

otherwise obtains in connection with collecting on a loan or servicing a loan.

(6) Any personally identifiable financial information collected through an Internet cookie or an information collecting

device from a Web server.

(7) Information from a consumer report.

(c) "Financial institution" means any institution the business of which is engaging in financial activities as described in

Section 1843(k) of Title 12 of the United States Code and doing business in this state. An institution that is not

significantly engaged in financial activities is not a financial institution. The term "financial institution" does not include

any institution that is primarily engaged in providing hardware, software, or interactive services, provided that it does

not act as a debt collector, as defined in 15 U.S.C. Sec. 1692a, or engage in activities for which the institution is required

to acquire a charter, license, or registration from a state or federal governmental banking, insurance, or securities

agency. The term "financial institution" does not include the Federal Agricultural Mortgage Corporation or any entity

chartered and operating under the Farm Credit Act of 1971 (12 U.S.C. Sec. 2001 et seq.), provided that the entity does

not sell or transfer nonpublic personal information to an affiliate or a nonaffiliated third party. The term "financial

institution" does not include institutions chartered by Congress specifically to engage in a proposed or actual

securitization, secondary market sale, including sales of servicing rights, or similar transactions related to a transaction

of the consumer, as long as those institutions do not sell or transfer nonpublic personal information to a nonaffiliated

third party. The term "financial institution" does not include any provider of professional services, or any wholly owned

affiliate thereof, that is prohibited by rules of professional ethics and applicable law from voluntarily disclosing

confidential client information without the consent of the client. The term "financial institution" does not include any

person licensed as a dealer under Article 1 (commencing with Section 11700) of Chapter 4 of Division 5 of the Vehicle

Code that enters into contracts for the installment sale or lease of motor vehicles pursuant to the requirements of

Chapter 2B (commencing with Section 2981) or 2D (commencing with Section 2985.7) of Title 14 of Part 4 of Division 3

of the Civil Code and assigns substantially all of those contracts to financial institutions within 30 days.

(d) "Affiliate" means any entity that controls, is controlled by, or is under common control with, another entity, but does

not include a joint employee of the entity and the affiliate. A franchisor, including any affiliate thereof, shall be deemed

an affiliate of the franchisee for purposes of this division.

(e) "Nonaffiliated third party" means any entity that is not an affiliate of, or related by common ownership or affiliated by

corporate control with, the financial institution, but does not include a joint employee of that institution and a third party.

(f) "Consumer" means an individual resident of this state, or that individual's legal representative, who obtains or has

obtained from a financial institution a financial product or service to be used primarily for personal, family, or household

purposes. For purposes of this division, an individual resident of this state is someone whose last known mailing address,

other than an Armed Forces Post Office or Fleet Post Office address, as shown in the records of the financial institution, is

located in this state. For purposes of this division, an individual is not a consumer of a financial institution solely because

he or she is (1) a participant or beneficiary of an employee benefit plan that a financial institution administers or

sponsors, or for which the financial institution acts as a trustee, insurer, or fiduciary, (2) covered under a group or

blanket insurance policy or group annuity contract issued by the financial institution, (3) a beneficiary in a workers'

compensation plan, (4) a beneficiary of a trust for which the financial institution is a trustee, or (5) a person who has

designated the financial institution as trustee for a trust, provided that the financial institution provides all required

notices and rights required by this division to the plan sponsor, group or blanket insurance policyholder, or group annuity

contractholder.

(g) "Control" means (1) ownership or power to vote 25 percent or more of the outstanding shares of any class of voting

security of a company, acting through one or more persons, (2) control in any manner over the election of a majority of

the directors, or of individuals exercising similar functions, or (3) the power to exercise, directly or indirectly, a

controlling influence over the management or policies of a company. However, for purposes of the application of the

definition of control as it relates to credit unions, a credit union has a controlling influence over the management or



policies of a credit union service organization (CUSO), as that term is defined by state or federal law or regulation, if the

CUSO is at least 67 percent owned by credit unions. For purposes of the application of the definition of control to a

financial institution subject to regulation by the United States Securities and Exchange Commission, a person who owns

beneficially, either directly or through one or more controlled companies, more than 25 percent of the voting securities of

a company is presumed to control the company, and a person who does not own more than 25 percent of the voting

securities of a company is presumed not to control the company, and a presumption regarding control may be rebutted

by evidence, but in the case of an investment company, the presumption shall continue until the United States Securities

and Exchange Commission makes a decision to the contrary according to the procedures described in Section 2(a)(9) of

the federal Investment Company Act of 1940.

(h) "Necessary to effect, administer, or enforce" means the following:

(1) The disclosure is required, or is a usual, appropriate, or acceptable method to carry out the transaction or the

product or service business of which the transaction is a part, and record or service or maintain the consumer's

account in the ordinary course of providing the financial service or financial product, or to administer or service

benefits or claims relating to the transaction or the product or service business of which it is a part, and includes the

following:

(A) Providing the consumer or the consumer's agent or broker with a confirmation, statement, or other record of

the transaction, or information on the status or value of the financial service or financial product.

(B) The accrual or recognition of incentives, discounts, or bonuses associated with the transaction or

communications to eligible existing consumers of the financial institution regarding the availability of those

incentives, discounts, and bonuses that are provided by the financial institution or another party.

(C) In the case of a financial institution that has issued a credit account bearing the name of a company primarily

engaged in retail sales or a name proprietary to a company primarily engaged in retail sales, the financial

institution providing the retailer with nonpublic personal information as follows:

(i) Providing the retailer, or licensees or contractors of the retailer that provide products or services in the

name of the retailer and under a contract with the retailer, with the names and addresses of the consumers in

whose name the account is held and a record of the purchases made using the credit account from a business

establishment, including a Web site or catalog, bearing the brand name of the retailer.

(ii) Where the credit account can only be used for transactions with the retailer or affiliates of that retailer that

are also primarily engaged in retail sales, providing the retailer, or licensees or contractors of the retailer that

provide products or services in the name of the retailer and under a contract with the retailer, with nonpublic

personal information concerning the credit account, in connection with the offering or provision of the products

or services of the retailer and those licensees or contractors.

(2) The disclosure is required or is one of the lawful or appropriate methods to enforce the rights of the financial

institution or of other persons engaged in carrying out the financial transaction or providing the product or service.

(3) The disclosure is required, or is a usual, appropriate, or acceptable method for insurance underwriting or the

placement of insurance products by licensed agents and brokers with authorized insurance companies at the

consumer's request, for reinsurance, stop loss insurance, or excess loss insurance purposes, or for any of the

following purposes as they relate to a consumer's insurance:

(A) Account administration.

(B) Reporting, investigating, or preventing fraud or material misrepresentation.

(C) Processing premium payments.

(D) Processing insurance claims.

(E) Administering insurance benefits, including utilization review activities.

(F) Participating in research projects.

(G) As otherwise required or specifically permitted by federal or state law.

(4) The disclosure is required, or is a usual, appropriate, or acceptable method, in connection with the following:

(A) The authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts

charged, debited, or otherwise paid using a debit, credit or other payment card, check, or account number, or by

other payment means.

(B) The transfer of receivables, accounts, or interests therein.

(C) The audit of debit, credit, or other payment information.



(5) The disclosure is required in a transaction covered by the federal Real Estate Settlement Procedures Act

(12 U.S.C. Sec. 2601 et seq.) in order to offer settlement services prior to the close of escrow (as those services are

defined in 12 U.S.C. Sec. 2602), provided that (A) the nonpublic personal information is disclosed for the sole

purpose of offering those settlement services and (B) the nonpublic personal information disclosed is limited to that

necessary to enable the financial institution to offer those settlement services in that transaction.

(i) "Financial product or service" means any product or service that a financial holding company could offer by engaging

in an activity that is financial in nature or incidental to a financial activity under subsection (k) of Section 1843 of Title 12

of the United States Code (the United States Bank Holding Company Act of 1956). Financial service includes a financial

institution's evaluation or brokerage of information that the financial institution collects in connection with a request or an

application from a consumer for a financial product or service.

(j) "Clear and conspicuous" means that a notice is reasonably understandable and designed to call attention to the nature

and significance of the information contained in the notice.

(k) "Widely distributed media" means media available to the general public and includes a telephone book, a television or

radio program, a newspaper, or a Web site that is available to the general public on an unrestricted basis.

CA Fin. Code §4052.5. Prohibition Against Disclosure Of Nonpublic Personal Information


Except as provided in Sections 4053, 4054.6, and 4056, a financial institution shall not sell, share, transfer, or otherwise

disclose nonpublic personal information to or with any nonaffiliated third parties without the explicit prior consent of the

consumer to whom the nonpublic personal information relates.

CA Fin. Code §4053. Consent Requirement To Disclose Nonpublic Personal Information; Requirements

And Regulation


[Ed. Note: Preempted by American Bankers Ass'n. v. Gould, 412 F.3d 1081, 1082+; (9th Cir. (Cal.) June 20, 2005)

(No. 04-16334, 04-165600). The U.S. Court of Appeals, 9th Circuit, held that the affiliate-sharing preemption clause of

the federal Fair Credit Reporting Act (15 USCA 1681t) preempts the California Financial Information Privacy Act, in at

least as it tries to regulate the communication among affiliates of “information” as defined by the FCRA. Users are

encouraged to refer to the text of the cases cited for complete information of provisions affected.]

(a)(1) A financial institution shall not disclose to, or share a consumer's nonpublic personal information with, any

nonaffiliated third party as prohibited by Section 4052.5, unless the financial institution has obtained a consent

acknowledgment from the consumer that complies with paragraph (2) that authorizes the financial institution to disclose

or share the nonpublic personal information. Nothing in this section shall prohibit or otherwise apply to the disclosure of

nonpublic personal information as allowed in Section 4056. A financial institution shall not discriminate against or deny

an otherwise qualified consumer a financial product or a financial service because the consumer has not provided consent

pursuant to this subdivision and Section 4052.5 to authorize the financial institution to disclose or share nonpublic

personal information pertaining to him or her with any nonaffiliated third party. Nothing in this section shall prohibit a

financial institution from denying a consumer a financial product or service if the financial institution could not provide

the product or service to a consumer without the consent to disclose the consumer's nonpublic personal information

required by this subdivision and Section 4052.5, and the consumer has failed to provide consent. A financial institution

shall not be liable for failing to offer products and services to a consumer solely because that consumer has failed to

provide consent pursuant to this subdivision and Section 4052.5 and the financial institution could not offer the product

or service without the consent to disclose the consumer's nonpublic personal information required by this subdivision and

Section 4052.5, and the consumer has failed to provide consent. Nothing in this section is intended to prohibit a financial

institution from offering incentives or discounts to elicit a specific response to the notice.

(2) A financial institution shall utilize a form, statement, or writing to obtain consent to disclose nonpublic personal

information to nonaffiliated third parties as required by Section 4052.5 and this subdivision. The form, statement, or

writing shall meet all of the following criteria:

(A) The form, statement, or writing is a separate document, not attached to any other document.

(B) The form, statement, or writing is dated and signed by the consumer.

(C) The form, statement, or writing clearly and conspicuously discloses that by signing, the consumer is

consenting to the disclosure to nonaffiliated third parties of nonpublic personal information pertaining to the

consumer.



(D) The form, statement, or writing clearly and conspicuously discloses (i) that the consent will remain in effect

until revoked or modified by the consumer; (ii) that the consumer may revoke the consent at any time; and

(iii) the procedure for the consumer to revoke consent.

(E) The form, statement, or writing clearly and conspicuously informs the consumer that (i) the financial

institution will maintain the document or a true and correct copy; (ii) the consumer is entitled to a copy of the

document upon request; and (iii) the consumer may want to make a copy of the document for the consumer's

records.

(b)(1) A financial institution shall not disclose to, or share a consumer's nonpublic personal information with, an affiliate

unless the financial institution has clearly and conspicuously notified the consumer annually in writing pursuant to

subdivision (d) that the nonpublic personal information may be disclosed to an affiliate of the financial institution and the

consumer has not directed that the nonpublic personal information not be disclosed. A financial institution does not

disclose information to, or share information with, its affiliate merely because information is maintained in common

information systems or databases, and employees of the financial institution and its affiliate have access to those

common information systems or databases, or a consumer accesses a Web site jointly operated or maintained under a

common name by or on behalf of the financial institution and its affiliate, provided that where a consumer has exercised

his or her right to prohibit disclosure pursuant to this division, nonpublic personal information is not further disclosed or

used by an affiliate except as permitted by this division.

(2) Subdivision (a) shall not prohibit the release of nonpublic personal information by a financial institution with

whom the consumer has a relationship to a nonaffiliated financial institution for purposes of jointly offering a financial

product or financial service pursuant to a written agreement with the financial institution that receives the nonpublic

personal information provided that all of the following requirements are met:

(A) The financial product or service offered is a product or service of, and is provided by, at least one of the

financial institutions that is a party to the written agreement.

(B) The financial product or service is jointly offered, endorsed, or sponsored, and clearly and conspicuously

identifies for the consumer the financial institutions that disclose and receive the disclosed nonpublic personal

information.

(C) The written agreement provides that the financial institution that receives that nonpublic personal information

is required to maintain the confidentiality of the information and is prohibited from disclosing or using the

information other than to carry out the joint offering or servicing of a financial product or financial service that is

the subject of the written agreement.

(D) The financial institution that releases the nonpublic personal information has complied with subdivision (d)

and the consumer has not directed that the nonpublic personal information not be disclosed.

(E) Notwithstanding this section, until January 1, 2005, a financial institution may disclose nonpublic personal

information to a nonaffiliated financial institution pursuant to a preexisting contract with the nonaffiliated financial

institution, for purposes of offering a financial product or financial service, if that contract was entered into on or

before January 1, 2004. Beginning on January 1, 2005, no nonpublic personal information may be disclosed

pursuant to that contract unless all the requirements of this subdivision are met.

(3) Nothing in this subdivision shall prohibit a financial institution from disclosing or sharing nonpublic personal

information as otherwise specifically permitted by this division.

(4) A financial institution shall not discriminate against or deny an otherwise qualified consumer a financial product or

a financial service because the consumer has directed pursuant to this subdivision that nonpublic personal

information pertaining to him or her not be disclosed. A financial institution shall not be required to offer or provide

products or services offered through affiliated entities or jointly with nonaffiliated financial institutions pursuant to

paragraph (2) where the consumer has directed that nonpublic personal information not be disclosed pursuant to this

subdivision and the financial institution could not offer or provide the products or services to the consumer without

disclosure of the consumer's nonpublic personal information that the consumer has directed not be disclosed pursuant

to this subdivision. A financial institution shall not be liable for failing to offer or provide products or services offered

through affiliated entities or jointly with nonaffiliated financial institutions pursuant to paragraph (2) solely because

the consumer has directed that nonpublic personal information not be disclosed pursuant to this subdivision and the

financial institution could not offer or provide the products or services to the consumer without disclosure of the

consumer's nonpublic personal information that the consumer has directed not be disclosed to affiliates pursuant to

this subdivision. Nothing in this section is intended to prohibit a financial institution from offering incentives or

discounts to elicit a specific response to the notice set forth in this division. Nothing in this section shall prohibit the

disclosure of nonpublic personal information allowed by Section 4056.

(5) The financial institution may, at its option, choose instead to comply with the requirements of subdivision (a).



(c) Nothing in this division shall restrict or prohibit the sharing of nonpublic personal information between a financial

institution and its wholly owned financial institution subsidiaries; among financial institutions that are each wholly owned

by the same financial institution; among financial institutions that are wholly owned by the same holding company; or

among the insurance and management entities of a single insurance holding company system consisting of one or more

reciprocal insurance exchanges which has a single corporation or its wholly owned subsidiaries providing management

services to the reciprocal insurance exchanges, provided that in each case all of the following requirements are met:

(1) The financial institution disclosing the nonpublic personal information and the financial institution receiving it are

regulated by the same functional regulator; provided, however, that for purposes of this subdivision, financial

institutions regulated by the Office of the Comptroller of the Currency, Office of Thrift Supervision, National Credit

Union Administration, or a state regulator of depository institutions shall be deemed to be regulated by the same

functional regulator; financial institutions regulated by the Securities and Exchange Commission, the United States

Department of Labor, or a state securities regulator shall be deemed to be regulated by the same functional

regulator; and insurers admitted in this state to transact insurance and licensed to write insurance policies shall be

deemed to be in compliance with this paragraph.

(2) The financial institution disclosing the nonpublic personal information and the financial institution receiving it are

both principally engaged in the same line of business. For purposes of this subdivision, "same line of business" shall

be one and only one of the following:

(A) Insurance.

(B) Banking.

(C) Securities.

(3) The financial institution disclosing the nonpublic personal information and the financial institution receiving it

share a common brand, excluding a brand consisting solely of a graphic element or symbol, within their trademark,

service mark, or trade name, which is used to identify the source of the products and services provided.

A wholly owned subsidiary shall include a subsidiary wholly owned directly or wholly owned indirectly in a chain of wholly

owned subsidiaries.

Nothing in this subdivision shall permit the disclosure by a financial institution of medical record information, as defined

in Section 791.02 of the Insurance Code, except in compliance with the requirements of this division, including the

requirements set forth in subdivisions (a) and (b).

(d)(1) A financial institution shall be conclusively presumed to have satisfied the notice requirements of subdivision (b) if

it uses the form set forth in this subdivision. The form set forth in this subdivision or a form that complies with

subparagraphs (A) to (L), inclusive, of this paragraph shall be sent by the financial institution to the consumer so that

the consumer may make a decision and provide direction to the financial institution regarding the sharing of his or her

nonpublic personal information. If a financial institution does not use the form set forth in this subdivision, the financial

institution shall use a form that meets all of the following requirements:

(A) The form uses the same title ("IMPORTANT PRIVACY CHOICES FOR CONSUMERS") and the headers, if

applicable, as follows: "Restrict Information Sharing With Companies We Own Or Control (Affiliates)" and "Restrict

Information Sharing With Other Companies We Do Business With To Provide Financial Products And Services."

(B) The titles and headers in the form are clearly and conspicuously displayed, and no text in the form is smaller

than 10-point type.

(C) The form is a separate document, except as provided by subparagraph (D) of paragraph (2), and Sections

4054 and 4058.7.

(D) The choice or choices pursuant to subdivision (b) and Section 4054.6, if applicable, provided in the form are

stated separately and may be selected by checking a box.

(E) The form is designed to call attention to the nature and significance of the information in the document.

(F) The form presents information in clear and concise sentences, paragraphs, and sections.

(G) The form uses short explanatory sentences (an average of 15-20 words) or bullet lists whenever possible.

(H) The form avoids multiple negatives, legal terminology, and highly technical terminology whenever possible.

(I) The form avoids explanations that are imprecise and readily subject to different interpretations.

(J) The form achieves a minimum Flesch reading ease score of 50, as defined in Section 2689.4(a)(7) of Title 10

of the California Code of Regulations, in effect on March 24, 2003, except that the information in the form

included to comply with subparagraph (A) shall not be included in the calculation of the Flesch reading ease score,



and the information used to describe the choice or choices pursuant to subparagraph (D) shall score no lower than

the information describing the comparable choice or choices set forth in the form in this subdivision.

(K) The form provides wide margins, ample line spacing and uses boldface or italics for key words.

(L) The form is not more than one page.

(2)(A) None of the instructional items appearing in brackets in the form set forth in this subdivision shall appear in

the form provided to the consumer, as those items are for explanation purposes only. If a financial institution does

not disclose or share nonpublic personal information as described in a header of the form, the financial institution

may omit the applicable header or headers, and the accompanying information and box, in the form it provides

pursuant to this subdivision. The form with those omissions shall be conclusively presumed to satisfy the notice

requirements of this subdivision. [See Important Privacy Choices for Consumers below.]

(B) If a financial institution uses a form other than that set forth in this subdivision, the financial institution may

submit that form to its functional regulator for approval, and for forms filed with the Office of Privacy Protection

prior to July 1, 2007, that approval shall constitute a rebuttable presumption that the form complies with this

section.

(C) A financial institution shall not be in violation of this subdivision solely because it includes in the form one or

more brief examples or explanations of the purpose or purposes, or context, within which information will be

shared, as long as those examples meet the clarity and readability standards set forth in paragraph (1).

(D) The outside of the envelope in which the form is sent to the consumer shall clearly state in 16-point boldface

type "IMPORTANT PRIVACY CHOICES," except that a financial institution sending the form to a consumer in the

same envelope as a bill, account statement, or application requested by the consumer does not have to include

the wording "IMPORTANT PRIVACY CHOICES" on that envelope. The form shall be sent in any of the following

ways:

(i) With a bill, other statement of account, or application requested by the consumer, in which case the

information required by Title V of the Gramm-Leach-Bliley Act may also be included in the same envelope.

(ii) As a separate notice or with the information required by Title V of the Gramm-Leach-Bliley Act, and

including only information related to privacy.

(iii) With any other mailing, in which case it shall be the first page of the mailing.

(E) If a financial institution uses a form other than that set forth in this subdivision, that form shall be filed with

the Office of Privacy Protection within 30 days after it is first used.

(3) The consumer shall be provided a reasonable opportunity prior to disclosure of nonpublic personal information to

direct that nonpublic personal information not be disclosed. A consumer may direct at any time that his or her

nonpublic personal information not be disclosed. A financial institution shall comply with a consumer's directions

concerning the sharing of his or her nonpublic personal information within 45 days of receipt by the financial

institution. When a consumer directs that nonpublic personal information not be disclosed, that direction is in effect

until otherwise stated by the consumer. A financial institution that has not provided a consumer with annual notice

pursuant to subdivision (b) shall provide the consumer with a form that meets the requirements of this subdivision,

and shall allow 45 days to lapse from the date of providing the form in person or the postmark or other postal

verification of mailing before disclosing nonpublic personal information pertaining to the consumer.

Nothing in this subdivision shall prohibit the disclosure of nonpublic personal information as allowed by subdivision (c)

or Section 4056.

(4) A financial institution may elect to comply with the requirements of subdivision (a) with respect to disclosure of

nonpublic personal information to an affiliate or with respect to nonpublic personal information disclosed pursuant to

paragraph (2) of subdivision (b), or subdivision (c) of Section 4054.6.

(5) If a financial institution does not have a continuing relationship with a consumer other than the initial transaction

in which the product or service is provided, no annual disclosure requirement exists pursuant to this section as long

as the financial institution provides the consumer with the form required by this section at the time of the initial

transaction. As used in this section, "annually" means at least once in any period of 12 consecutive months during

which that relationship exists. The financial institution may define the 12-consecutive-month period, but shall apply it

to the consumer on a consistent basis. If, for example, a financial institution defines the 12-consecutive-month period

as a calendar year and provides the annual notice to the consumer once in each calendar year, it complies with the

requirement to send the notice annually.

(6) A financial institution with assets in excess of twenty-five million dollars ($25,000,000) shall include a self-

addressed first class business reply return envelope with the notice. A financial institution with assets of up to and

including twenty-five million dollars ($25,000,000) shall include a self-addressed return envelope with the notice. In



lieu of the first class business reply return envelope required by this paragraph, a financial institution may offer a

self-addressed return envelope with the notice and at least two alternative cost-free means for consumers to

communicate their privacy choices, such as calling a toll-free number, sending a facsimile to a toll-free telephone

number, or using electronic means. A financial institution shall clearly and conspicuously disclose in the form required

by this subdivision the information necessary to direct the consumer on how to communicate his or her choices,

including the toll-free or facsimile number or Web site address that may be used, if those means of communication

are offered by the financial institution.

(7) A financial institution may provide a joint notice from it and one or more of its affiliates or other financial

institutions, as identified in the notice, so long as the notice is accurate with respect to the financial institution and

the affiliates and other financial institutions.

(e) Nothing in this division shall prohibit a financial institution from marketing its own products and services or the

products and services of affiliates or nonaffiliated third parties to customers of the financial institution as long as

(1) nonpublic personal information is not disclosed in connection with the delivery of the applicable marketing materials

to those customers except as permitted by Section 4056 and (2) in cases in which the applicable nonaffiliated third party

may extrapolate nonpublic personal information about the consumer responding to those marketing materials, the

applicable nonaffiliated third party has signed a contract with the financial institution under the terms of which (A) the

nonaffiliated third party is prohibited from using that information for any purpose other than the purpose for which it was

provided, as set forth in the contract, and (B) the financial institution has the right by audit, inspections, or other means

to verify the nonaffiliated third party's compliance with that contract.

Important Privacy Choices for Consumers

You have the right to control whether we share some of your personal information.

Please read the following information carefully before you make your choices below.

Your Rights

You have the following rights to restrict the sharing of personal and financial information with our affiliates

(companies we own or control) and outside companies that we do business with. Nothing in this form prohibits the

sharing of information necessary for us to follow the law, as permitted by law, or to give you the best service on your

accounts with us. This includes sending you information about some other products or services.

Your Choices

Restrict Information Sharing With Companies We Own or Control (Affiliates): Unless you say “No,” we may

share personal and financial information about you with our affiliated companies.

(_) NO, please do not share personal and financial information with your affiliated companies.

Restrict Information Sharing With Other Companies We Do Business With To Provide Financial Products

And Services: Unless you say “No,” we may share personal and financial information about you with outside

companies we contract with to provide financial products and services to you.

(_) NO, please do not share personal and financial information with outside companies you contract with to

provide financial products and services.

------------------------------------------------------------------------

Time Sensitive Reply

You may make your privacy choice(s) at any time. Your choice(s) marked here will remain unless you state

otherwise. However, if we do not hear from you we may share some of your information with affiliated companies

and other companies with whom we have contracts to provide products and services.

Name: ___________________________________________________________

Account or Policy Number(s): ________________________ [to be filled in by consumer]

Signature: ________________________________________________

To exercise your choices do [one of] the following:

(1) Fill out, sign and send back this form to us using the envelope provided (you may want to make

a copy for your records); [#1 is mandatory]

(2) Call this toll-free number (800) xxx-xxxx or (xxx) xxx-xxxx; [optional]

(3) Reply electronically by contacting us through the following Internet option: xxxxx.com [optional]



CA Fin. Code §4053.5. Disclosure Of Nonpublic Personal Information By Entity That Receives Information;

Permitted Uses


Except as otherwise provided in this division, an entity that receives nonpublic personal information from a financial

institution under this division shall not disclose this information to any other entity, unless the disclosure would be lawful

if made directly to the other entity by the financial institution. An entity that receives nonpublic personal information

pursuant to any exception set forth in Section 4056 shall not use or disclose the information except in the ordinary

course of business to carry out the activity covered by the exception under which the information was received.

CA Fin. Code §4054. Required Electronic Or Written Notice To Consumers


(a) Nothing in this division shall require a financial institution to provide a written notice to a consumer pursuant to

Section 4053 if the financial institution does not disclose nonpublic personal information to any nonaffiliated third party

or to any affiliate, except as allowed in this division.

(b) A notice provided to a member of a household pursuant to Section 4053 shall be considered notice to all members of

that household unless that household contains another individual who also has a separate account with the financial

institution.

(c)(1) The requirement to send a written notice to a consumer may be fulfilled by electronic means if the following

requirements are met:

(A) The notice, and the manner in which it is sent, meets all of the requirements for notices that are required by

law to be in writing, as set forth in Section 101 of the federal Electronic Signatures in Global and National

Commerce Act.

(B) All other requirements applicable to the notice, as set forth in this division, are met, including, but not limited

to, requirements concerning content, timing, form, and delivery. An electronic notice sent pursuant to this section

is not required to include a return envelope.

(C) The notice is delivered to the consumer in a form the consumer may keep.

(2) A notice that is made available to a consumer, and is not delivered to the consumer, does not satisfy the

requirements of paragraph (1).

(3) Any electronic consumer reply to an electronic notice sent pursuant to this division is effective. A person that

electronically sends a notice required by this division to a consumer may not by contract, or otherwise, eliminate the

effectiveness of the consumer's electronic reply.

(4) This division modifies the provisions of Section 101 of the federal Electronic Signatures in Global and National

Commerce Act. However, it does not modify, limit, or supersede the provisions of subsection (c), (d), (e), (f), or (h)

of Section 101 of the federal Electronic Signatures in Global and National Commerce Act, nor does it authorize

electronic delivery of any notice of the type described in subsection (b) of Section 103 of that federal act.

CA Fin. Code §4054.6. Agreements Between Financial Institutions And Affinity Partners To Issue Credit

Cards Or Financial Products Or Services; Disclosure Of Information; Requirements


(a) When a financial institution and an organization or business entity that is not a financial institution ("affinity partner")

have an agreement to issue a credit card in the name of the affinity partner ("affinity card"), the financial institution shall

be permitted to disclose to the affinity partner in whose name the card is issued only the following information pertaining

to the financial institution's customers who are in receipt of the affinity card: (1) name, address, telephone number, and

electronic mail address and (2) record of purchases made using the affinity card in a business establishment, including a

Web site, bearing the brand name of the affinity partner.

(b) When a financial institution and an affinity partner have an agreement to issue a financial product or service, other

than a credit card, on behalf of the affinity partner ("affinity financial product or service"), the financial institution shall

be permitted to disclose to the affinity partner only the following information pertaining to the financial institution's

customers who obtained the affinity financial product or service: name, address, telephone number, and electronic mail

address.



(c) The disclosures specified in subdivisions (a) and (b) shall be permitted only if the following requirements are met:

(1) The financial institution has provided the consumer a notice meeting the requirements of subdivision (d) of

Section 4053, and the consumer has not directed that nonpublic personal information not be disclosed. A response to

a notice meeting the requirements of subdivision (d) directing the financial institution to not disclose nonpublic

personal information to a nonaffiliated financial institution shall be deemed a direction to the financial institution to

not disclose nonpublic personal information to an affinity partner, unless the form containing the notice provides the

consumer with a separate choice for disclosure to affinity partners.

(2) The financial institution has a contractual agreement with the affinity partner that requires the affinity partner to

maintain the confidentiality of the nonpublic personal information and prohibits affinity partners from using the

information for any purposes other than verifying membership, verifying the consumer's contact information, or

offering the affinity partner's own products or services to the consumer.

(3) The customer list is not disclosed in any way that reveals or permits extrapolation of any additional nonpublic

personal information about any customer on the list.

(4) If the affinity partner sends any message to any electronic mail addresses obtained pursuant to this section, the

message shall include at least both of the following:

(A) The identity of the sender of the message.

(B) A cost-free means for the recipient to notify the sender not to electronically mail any further message to the

recipient.

(d) Nothing in this section shall prohibit the disclosure of nonpublic personal information pursuant to Section 4056.

(e) This section does not apply to credit cards issued in the name of an entity primarily engaged in retail sales or a name

proprietary to a company primarily engaged in retail sales.

CA Fin. Code §4056. Application Of Division; Conditions For Release Of Nonpublic Personal Information By

Financial Institutions


(a) This division shall not apply to information that is not personally identifiable to a particular person.

(b) Notwithstanding Sections 4052.5, 4053, 4054, and 4054.6, a financial institution may release nonpublic personal

information under the following circumstances:

(1) The nonpublic personal information is necessary to effect, administer, or enforce a transaction requested or

authorized by the consumer, or in connection with servicing or processing a financial product or service requested or

authorized by the consumer, or in connection with maintaining or servicing the consumer's account with the financial

institution, or with another entity as part of a private label credit card program or other extension of credit on behalf

of that entity, or in connection with a proposed or actual securitization or secondary market sale, including sales of

servicing rights, or similar transactions related to a transaction of the consumer.

(2) The nonpublic personal information is released with the consent of or at the direction of the consumer.

(3) The nonpublic personal information is:

(A) Released to protect the confidentiality or security of the financial institution's records pertaining to the

consumer, the service or product, or the transaction therein.

(B) Released to protect against or prevent actual or potential fraud, identity theft, unauthorized transactions,

claims, or other liability.

(C) Released for required institutional risk control, or for resolving customer disputes or inquiries.

(D) Released to persons holding a legal or beneficial interest relating to the consumer, including for purposes of

debt collection.

(E) Released to persons acting in a fiduciary or representative capacity on behalf of the consumer.

(4) The nonpublic personal information is released to provide information to insurance rate advisory organizations,

guaranty funds or agencies, applicable rating agencies of the financial institution, persons assessing the institution's

compliance with industry standards, and the institution's attorneys, accountants, and auditors.

(5) The nonpublic personal information is released to the extent specifically required or specifically permitted under

other provisions of law and in accordance with the Right to Financial Privacy Act of 1978 (12 U.S.C. Sec. 3401

et seq.), to law enforcement agencies, including a federal functional regulator, the Secretary of the Treasury with



respect to subchapter II of Chapter 53 of Title 31, and Chapter 2 of Title I of Public Law 91-508 (12 U.S.C. Secs.

1951-1959), the California Department of Insurance or other state insurance regulators, or the Federal Trade

Commission, and self-regulatory organizations, or for an investigation on a matter related to public safety.

(6) The nonpublic personal information is released in connection with a proposed or actual sale, merger, transfer, or

exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal information

concerns solely consumers of the business or unit.

(7) The nonpublic personal information is released to comply with federal, state, or local laws, rules, and other

applicable legal requirements; to comply with a properly authorized civil, criminal, administrative, or regulatory

investigation or subpoena or summons by federal, state, or local authorities; or to respond to judicial process or

government regulatory authorities having jurisdiction over the financial institution for examination, compliance, or

other purposes as authorized by law.

(8) When a financial institution is reporting a known or suspected instance of elder or dependent adult financial abuse

or is cooperating with a local adult protective services agency investigation of known or suspected elder or dependent

adult financial abuse pursuant to Article 3 (commencing with Section 15630) of Chapter 11 of Part 3 of Division 9 of

the Welfare and Institutions Code.

(9) The nonpublic personal information is released to an affiliate or a nonaffiliated third party in order for the affiliate

or nonaffiliated third party to perform business or professional services, such as printing, mailing services, data

processing or analysis, or customer surveys, on behalf of the financial institution, provided that all of the following

requirements are met:

(A) The services to be performed by the affiliate or nonaffiliated third party could lawfully be performed by the

financial institution.

(B) There is a written contract between the affiliate or nonaffiliated third party and the financial institution that

prohibits the affiliate or nonaffiliated third party, as the case may be, from disclosing or using the nonpublic

personal information other than to carry out the purpose for which the financial institution disclosed the

information, as set forth in the written contract.

(C) The nonpublic personal information provided to the affiliate or nonaffiliated third party is limited to that which

is necessary for the affiliate or nonaffiliated third party to perform the services contracted for on behalf of the

financial institution.

(D) The financial institution does not receive any payment from or through the affiliate or nonaffiliated third party

in connection with, or as a result of, the release of the nonpublic personal information.

(10) The nonpublic personal information is released to identify or locate missing and abducted children, witnesses,

criminals and fugitives, parties to lawsuits, parents delinquent in child support payments, organ and bone marrow

donors, pension fund beneficiaries, and missing heirs.

(11) The nonpublic personal information is released to a real estate appraiser licensed or certified by the state for

submission to central data repositories such as the California Market Data Cooperative, and the nonpublic personal

information is compiled strictly to complete other real estate appraisals and is not used for any other purpose.

(12) The nonpublic personal information is released as required by Title III of the federal United and Strengthening

America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA Patriot Act;

P.L. 107-56).

(13) The nonpublic personal information is released either to a consumer reporting agency pursuant to the Fair Credit

Reporting Act (15 U.S.C. Sec. 1681 et seq.) or from a consumer report reported by a consumer reporting agency.

(14) The nonpublic personal information is released in connection with a written agreement between a consumer and

a broker-dealer registered under the Securities Exchange Act of 1934 or an investment adviser registered under the

Investment Advisers Act of 1940 to provide investment management services, portfolio advisory services, or financial

planning, and the nonpublic personal information is released for the sole purpose of providing the products and

services covered by that agreement.

(c) Nothing in this division is intended to change existing law relating to access by law enforcement agencies to

information held by financial institutions.

CA Fin. Code §4056.5. Persons Or Entities With License And/Or Written Contractual Agreement With Another

Licensed Person Or Entity; Disclosure Of Information; Contents Of Contract




(a) The provisions of this division do not apply to any person or entity that meets the requirements of paragraph (1)

or (2) below. However, when nonpublic personal information is being or will be shared by a person or entity meeting the

requirements of paragraph (1) or (2) with an affiliate or nonaffiliated third party, this division shall apply.

(1) The person or entity is licensed in one or both of the following categories and is acting within the scope of the

respective license or certificate:

(A) As an insurance producer, licensed pursuant to Chapter 5 (commencing with Section 1621), Chapter 6

(commencing with Section 1760), or Chapter 8 (commencing with Section 1831) of Division 1 of the Insurance

Code, as a registered investment adviser pursuant to Chapter 3 (commencing with Section 25230) of Part 3 of

Division 1 of Title 4 of the Corporations Code, or as an investment adviser pursuant to Section 202(a)(11) of the

federal Investment Advisers Act of 1940.

(B) Is licensed to sell securities by the National Association of Securities Dealers (NASD).

(2) The person or entity meets the requirements in paragraph (1) and has a written contractual agreement with

another person or entity described in paragraph (1) and the contract clearly and explicitly includes the following:

(A) The rights and obligations between the licensees arising out of the business relationship relating to insurance

or securities transactions.

(B) An explicit limitation on the use of nonpublic personal information about a consumer to transactions

authorized by the contract and permitted pursuant to this division.

(C) A requirement that transactions specified in the contract fall within the scope of activities permitted by the

licenses of the parties.

(b) The restrictions on disclosure and use of nonpublic personal information, and the requirement for notification and

disclosure provided in this division, shall not limit the ability of insurance producers and brokers to respond to written or

electronic, including telephone, requests from consumers seeking price quotes on insurance products and services or to

obtain competitive quotes to renew an existing insurance contract, provided that any nonpublic personal information

disclosed pursuant to this subdivision shall not be used or disclosed except in the ordinary course of business in order to

obtain those quotes.

(c)(1) The disclosure or sharing of nonpublic personal information from an insurer, as defined in Section 23 of the

Insurance Code, or its affiliates to an exclusive agent, defined for purposes of this division as a licensed agent or broker

pursuant to Chapter 5 (commencing with Section 1621) of Part 2 of Division 1 of the Insurance Code whose contractual

or employment relationship requires that the agent offer only the insurer's policies for sale or financial products or

services that meet the requirements of paragraph (2) of subdivision (b) of Section 4053 and are authorized by the

insurer, or whose contractual or employment relationship with an insurer gives the insurer the right of first refusal for all

policies of insurance by the agent, and who may not share nonpublic personal information with any insurer other than

the insurer with whom the agent has a contractual or employment relationship as described above, is not a violation of

this division, provided that the agent may not disclose nonpublic personal information to any party except as permitted

by this division. An insurer or its affiliates do not disclose or share nonpublic personal information with exclusive agents

merely because information is maintained in common information systems or databases, and exclusive agents of the

insurer or its affiliates have access to those common information systems or databases, provided that where a consumer

has exercised his or her rights to prohibit disclosure pursuant to this division, nonpublic personal information is not

further disclosed or used by an exclusive agent except as permitted by this division.

(2) Nothing in this subdivision is intended to affect the sharing of information allowed in subdivision (a) or

subdivision (b).

CA Fin. Code §4057. Liability For Negligent Disclosure Of Nonpublic Personal Information; Civil Penalty And

Damages; Factors To Determine Amount Of Penalty


(a) An entity that negligently discloses or shares nonpublic personal information in violation of this division shall be liable,

irrespective of the amount of damages suffered by the consumer as a result of that violation, for a civil penalty not to

exceed two thousand five hundred dollars ($2,500) per violation. However, if the disclosure or sharing results in the

release of nonpublic personal information of more than one individual, the total civil penalty awarded pursuant to this

subdivision shall not exceed five hundred thousand dollars ($500,000).

(b) An entity that knowingly and willfully obtains, discloses, shares, or uses nonpublic personal information in violation of

this division shall be liable for a civil penalty not to exceed two thousand five hundred dollars ($2,500) per individual

violation, irrespective of the amount of damages suffered by the consumer as a result of that violation.



(c) In determining the penalty to be assessed pursuant to a violation of this division, the court shall take into account the

following factors:

(1) The total assets and net worth of the violating entity.

(2) The nature and seriousness of the violation.

(3) The persistence of the violation, including any attempts to correct the situation leading to the violation.

(4) The length of time over which the violation occurred.

(5) The number of times the entity has violated this division.

(6) The harm caused to consumers by the violation.

(7) The level of proceeds derived from the violation.

(8) The impact of possible penalties on the overall fiscal solvency of the violating entity.

(d) In the event a violation of this division results in the identity theft of a consumer, as defined by Section 530.5 of the

Penal Code, the civil penalties set forth in this section shall be doubled.

(e) The civil penalties provided for in this section shall be exclusively assessed and recovered in a civil action brought in

the name of the people of the State of California in any court of competent jurisdiction by any of the following:

(1) The Attorney General.

(2) The functional regulator with jurisdiction over regulation of the financial institution as follows:

(A) In the case of banks, savings associations, credit unions, commercial lending companies, and bank holding

companies, by the Department of Business Oversight, Division of Financial Institutions or the appropriate federal

authority;

(B) in the case of any person engaged in the business of insurance, by the Department of Insurance;

(C) in the case of any investment broker or dealer, investment company, investment adviser, residential

mortgage lender or finance lender, by the Department of Business Oversight, Division of Corporations; and

(D) in the case of a financial institution not subject to the jurisdiction of any functional regulator listed under

subparagraphs (A) to (C), inclusive, above, by the Attorney General.

CA Fin. Code §4058. Authority Of Department Or State Agency To Regulate Financial Institutions


Nothing in this division shall be construed as altering or annulling the authority of any department or agency of the state

to regulate any financial institution subject to its jurisdiction.

CA Fin. Code §4058.5. Preemption; Prospective And Retroactive Application


This division shall preempt and be exclusive of all local agency ordinances and regulations relating to the use and sharing

of nonpublic personal information by financial institutions. This section shall apply both prospectively and retroactively.

CA Fin. Code §4058.7. Combining Forms


Nothing in this division shall prevent an insurer, as defined in Section 23 of the Insurance Code, from combining the form

required by subdivision (d) of Section 4053 with the form required pursuant to Article 6.6 (commencing with Section

791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code and state regulations implementing the provisions of that

article, provided that the combined form meets the requirements contained in paragraph (1) of subdivision (d) of

Section 4053.

CA Fin. Code §4059. Severable Provisions


The provisions of this division shall be severable, and if any phrase, clause, sentence, or provision is declared to be

invalid or is preempted by federal law or regulation, the validity of the remainder of this division shall not be affected

thereby.



CA Fin. Code §4060. Operation Of Division


This division shall become operative on July 1, 2004.

TITLE 10. INVESTMENT

CHAPTER 5. INSURANCE COMMISSIONER

Subchapter 5.9. Privacy Of Nonpublic Personal Information

Article 1. General Provisions

CA Admin. Code tit. 10 §2689.1. Authority And Purpose

[Adopted March 24, 2003.]

The Commissioner promulgates these regulations pursuant to the implied authority granted by California Insurance Code

Sections 791 et seq. and 15 U.S.C. Sections 6801(b) and 6805(b) to implement California Insurance Code and Gramm-

Leach-Bliley privacy provisions consistent with providing individuals the maximum privacy protections permitted by those

laws.

CA Admin. Code tit. 10 §2689.2. Scope


These regulations govern the treatment of nonpublic personal information about individuals who obtain or are claimants

or beneficiaries of products or services primarily for personal, family, or household purposes. These regulations shall

apply to all licensees of the California Department of Insurance subject to California Insurance Code Sections 791 et seq.,

namely insurance institutions, agents, and insurance support organizations. Licensees not subject to California Insurance

Code Sections 791 et seq., but subject to Gramm-Leach-Bliley (GLBA), 15 U.S.C. Sections 6801-6810, shall comply with

GLBA privacy provisions and with Sections 2689.12 through 2689.20 of these regulations.

Licensees shall also comply with California Civil Code Section 1798.85 (SB 168, Chapter 720, Statutes of 2001), Business

and Professions Code Sections 17590 through 17595 (SB 771, Chapter 695, Statutes of 2001), and all other applicable

privacy and confidentiality provisions.

CA Admin. Code tit. 10 §2689.3. Disclosure Of Information


Nonpublic personal information shall not be disclosed in a manner not permitted by California law or these regulations.



As used in these regulations, unless the context requires otherwise:

(a) "Clear and conspicuous" means that a notice is "reasonably understandable" and "designed to call attention to the

nature and significance of the information" in the notice. All notices must be clear and conspicuous and accurately reflect

the licensee's privacy policies and practices.

A notice is "reasonably understandable" if it:

(1) Presents information in clear, concise sentences, paragraphs, and sections;

(2) Uses short explanatory sentences (an average of 15-20 words) or bullet lists whenever possible;

(3) Uses definite, concrete, everyday words and active voice whenever possible;

(4) Avoids multiple negatives;

(5) Avoids legal and highly technical business terminology whenever possible;

(6) Avoids explanations that are imprecise and readily subject to different interpretations; and

(7) Achieves a minimum Flesch Reading Ease Score of 50. (The Flesch Reading Ease Score rates text on a 100-point

scale—the higher the score, the easier it is to understand the document. The formula for the Flesch Reading Ease

score is:



206.835 – (1.015 x ASL) – (84.6 x ASW)

where:

ASL = average sentence length (the number of words divided by the number of sentences)

ASW = average number of syllables per word (the number of syllables divided by the number of words).)

A notice is "designed to call attention to the nature and significance of the information" in it if it:

(8) Uses a plain-language heading to call attention to the notice;

(9) Uses an easy-to-read typeface and type size (at least 10 point);

(10) Provides wide margins and ample line spacing;

(11) Uses boldface or italics for key words;

(12) In a form that combines the licensee's notice with other information, uses distinctive type size, style, and

graphic devices, such as shading or sidebars; and

(13) If on the back or inside of a multi-page form, is accompanied by a prominent notice on the front of the form

directing the reader's attention to the privacy notice and where it may be found.

A notice on a web site is "designed to call attention to the nature and significance of the information" in it if it is

rendered as a page using Hypertext Markup Language (html) in addition to any other webpage formats used, is at

least the equivalent point size and type as the standard text on the licensee's web site, and, uses text or visual cues

to encourage scrolling down the page if necessary to view the entire notice and ensures that other elements on the

web site (such as text, graphics, hyperlinks or sound) do not distract attention from the notice, and the notice is

either:

(14) Placed on a screen that consumers frequently access, such as a page on which transactions are conducted; or

(15) Accessed from a screen that consumers frequently access through a link that connects directly to the notice and

is labeled appropriately to convey the importance, nature and relevance of the notice.

(b) "Collect" means to obtain information that the licensee organizes or can retrieve by the name of an individual or by

identifying number, symbol or other identifying particular assigned to the individual, regardless of the source of the

underlying information.

(c) "Consumer" means an individual who seeks to obtain, obtains or has obtained an insurance product or service from a

licensee that is to be used primarily for personal, family or household purposes, and about whom the licensee has

nonpublic personal information. "Consumer" includes that individual's legal representative. Examples include, but are not

limited to, the following:

(1) An individual who provides nonpublic personal information to a licensee in connection with obtaining or seeking to

obtain financial, investment or economic advisory services relating to an insurance product or service, is a consumer

regardless of whether the licensee establishes an ongoing relationship.

(2) An applicant for insurance prior to the inception of insurance coverage is a consumer.

(3) An individual who is a consumer of another financial institution is not a licensee's consumer solely because the

licensee is acting as agent for, or provides processing or other services to, that financial institution.

(4) An individual is a licensee's consumer if the individual is a beneficiary of a life insurance policy underwritten by

the licensee, a claimant under an insurance policy issued by the licensee, an insured or an annuitant under an

insurance policy or an annuity issued by the licensee, a certificate holder under an employee or other group policy, a

bodily injury claimant against a commercial liability policy, a worker's compensation claimant, or a mortgagor of a

mortgage covered under a mortgage insurance policy; and the licensee discloses nonpublic personal information

about the individual to a nonaffiliated third party other than as permitted by California Insurance Code Section

791.13.

(5) If the licensee provides initial, annual and revised notices to the plan sponsor, group or blanket insurance

policyholder, group annuity contractholder, or workers' compensation plan participant, and does not disclose to a

nonaffiliated third party nonpublic personal information about such an individual other than as permitted under

California Insurance Code Section 791.13, an individual is not the consumer of the licensee solely because of that

relationship. If the licensee does not meet all the conditions of this paragraph, the described individuals are

consumers of a licensee.

(6) An individual is not a licensee's consumer solely because he or she is a beneficiary of a trust for which the

licensee is a trustee or because he or she has designated the licensee as trustee for a trust.



(d) "Customer" means a consumer who has a continuing relationship with a licensee under which the licensee provides

one or more insurance products or services to the consumer that are to be used primarily for personal, family or

household purposes.

A consumer has a continuing relationship with a licensee if the consumer is a current policyholder of an insurance

product issued by or through the licensee; or the consumer obtains financial, investment or economic advisory services

relating to an insurance product or service from the licensee for a fee.

A consumer does not have a continuing relationship with a licensee, and therefore is not a customer, if, for example:

(1) The consumer applies for insurance but does not purchase the insurance;

(2) The licensee sells the consumer travel insurance in an isolated transaction;

(3) The consumer is no longer a current policyholder of an insurance product or no longer obtains insurance services

with or through the licensee;

(4) The consumer is a beneficiary or claimant under a policy and has submitted a claim under a policy choosing a

settlement option involving an ongoing relationship with the licensee;

(5) The consumer is a beneficiary or a claimant under a policy and has submitted a claim under that policy choosing a

lump sum settlement option;

(6) The customer's policy is lapsed, expired, or otherwise inactive or dormant under the licensee's business practices,

and the licensee has not communicated with the customer about the relationship for a period of twelve (12)

consecutive months, other than annual privacy notices, material required by law or regulation, communication at the

direction of a state or federal authority, or promotional materials;

(7) The consumer is an insured or an annuitant under an insurance policy or annuity but is not the policyholder or

owner of the insurance policy or annuity; or

(8) The consumer's last known address according to the licensee's records is deemed invalid. An address of record is

deemed invalid if mail sent to that address by the licensee has been returned by the postal authorities as

undeliverable and if subsequent good faith attempts by the licensee to obtain a current valid address for the

individual have been unsuccessful. If so, and if the consumer has not opted out, the licensee shall, at least annually,

remove the consumer's name from any list for marketing purposes for disclosure to a nonaffiliated third party.

(e) "Financial institution" means any institution engaged in activities that are financial in nature or incidental to such

financial activities as described in Section 4(k) of the Bank Holding Company Act of 1956 (12 US.C. 1843(k)).

Financial institution does not include:

(1) Any person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity

Futures Trading Commission under the Commodity Exchange Act (7 U.S.C. 1 et seq);

(2) The Federal Agricultural Mortgage Corporation or any entity charged and operating under the Farm Credit Act of

1971 (12 U.S.C. 2001 et seq); or

(3) Institutions chartered by Congress specifically to engage in securitizations, secondary market sales (including

sales of servicing rights) or similar transactions related to a transaction of a consumer, as long as the institutions do

not sell or transfer nonpublic personal information to a nonaffiliated third party.

(f) "Financial product or service" means any product or service that a financial holding company could offer by engaging

in an activity that is financial in nature or incidental to such a financial activity under Section 4(k) of the Bank Holding

Company Act of 1956 (12 U.S.C. 1843(k)). Financial service includes a financial institution's evaluation or brokerage of

information that the financial institution collects in connection with a request or an application from a consumer or a

financial product or service.

(g) "Nonaffiliated third party" means any person or entity that is not an affiliate of, or related by common ownership or

affiliated by corporate control with, a licensee. Nonaffiliated third party includes any company that is an affiliate solely by

virtue of the direct or indirect ownership or control of the company by the licensee or its affiliate in conducting merchant

banking or investment banking activities of the type described in Section 4(k)(4)(H) or insurance company investment

activities of the type described in Section 4(k)(4)(I) of the federal Bank Holding Company Act (12 U.S.C. 1843(k)(4)(H)

and (I)).

(h) "Nonpublic personal financial information" means personally identifiable financial information a consumer provides to

a licensee to obtain an insurance product or service from the licensee, information about a consumer resulting from a

transaction involving an insurance product or service between a licensee and a consumer, or information the licensee

obtains about a consumer in connection with providing an insurance product or service to that consumer.



"Nonpublic personal financial information" includes any list, description or other grouping of consumers that is derived

using any personally identifiable financial information that is not publicly available. "Nonpublic personal financial

information" does not include medical record information.

(i) "Nonpublic personal information" means "personal information" as defined in California Insurance Code Section

791.02(s). "Nonpublic personal information" includes "nonpublic personal financial information" and "medical record

information" (as defined in California Insurance Code Section 791.02(q).

"Nonpublic personal information" includes any list, description or other grouping of consumers that is derived using any

personally identifiable information that is not publicly available. "Nonpublic personal information" also includes any

information about the licensee's consumer if it is disclosed in a manner that indicates that the individual is or has been

the licensee's consumer; any information the licensee collects through an Internet cookie (an information-collecting

device from a web survey); and information from a consumer report.

If information about individuals associated with a business entity is collected or accessed in connection with a consumer

transaction, or is used for marketing products or services intended for personal, family, or household purposes, it is

nonpublic personal information for purposes of these regulations. Insurance transactions relating to products obtained by

a policyholder for business, commercial, or agricultural purposes, but which actually provide insurance primarily for

personal, family, or household purposes, involve nonpublic personal information for purposes of these regulations.

A dual purpose policy providing only incidental or supplemental commercial coverages is still a policy primarily for

personal, family or household purposes for purposes of these regulations.

(j) "Opt-In" means that a licensee must obtain a consumer's permission before sharing certain nonpublic personal

information with others.

(k) "Opt-Out" means that a licensee must allow a consumer the opportunity to prevent the sharing of certain nonpublic

personal financial information with others.

(l) "Ownership of voting securities," as used in California Insurance Code Section 791.02(g), means ownership or power

to vote twenty-five percent (25%) or more of the outstanding shares of any class of voting security of the person or

entity, directly or indirectly, or acting through one or more other persons, and includes power in any manner over the

election of a majority of the directors, trustees or general partners (or individuals exercising similar functions) of the

person or entity.

(m) "Publicly available information" means any information that a licensee has a reasonable basis to believe is lawfully

made available to the general public from federal, state or local government records; widely distributed media; or

disclosures to the general public that are required to be made by federal, state or local law.

A licensee has a reasonable basis to believe that information is lawfully made available to the general public if the

licensee has taken steps to determine that the information is of the type that is available to the general public; and when

an individual can direct that the information not be made available to the general public, the individual has not done so.

Article 2. Privacy Notices; Opt Out Notices For Nonpublic Personal Financial Information

CA Admin. Code tit. 10 §2689.5. Initial Privacy Notice


(a) In addition to any notice of information practices required by California Insurance Code Section 791.04, licensees

shall provide notice as required by this section. Licensees may provide the notices required by California Insurance Code

Section 791.04 and this section in a single combined notice or in separate notices, so long as all the requirements of

California Insurance Code Section 791.04 and these regulations are satisfied. If a licensee uses a California notice and

another separate notice, the California notice shall clearly state that any rights a consumer, claimant, or beneficiary may

have as described in the California notice are not limited by the standard privacy notice that the licensee also uses.

A licensee shall provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to:

(1) A customer, not later than when the licensee establishes a customer relationship, except as provided in

subsection (c) of this section: and

(2) A consumer, claimant, or beneficiary before the licensee discloses any nonpublic personal information about the

consumer, claimant, or beneficiary to any nonaffiliated third party, if the licensee makes a disclosure other than as

authorized by California Insurance Code Section 791.13(a) through (j) or (l) through (r), unless the licensee has a

customer relationship with the consumer, claimant, or beneficiary, or a notice has been provided by an affiliated

licensee, the notice clearly identifies all licensees to whom the notice applies, and is accurate with respect to the

licensee and the other institutions.



(b) When an existing customer obtains a new insurance product or service, intended primarily for personal, family, or

household purposes, the licensee need not provide a new initial notice if the notice most recently provided by the

licensee or an affiliate is accurate with respect to the licensee and the affiliate.

(c) A licensee may provide the initial notice required by subsection (a)(1) within a reasonable time after the licensee

establishes a customer relationship if:

(1) Establishing the customer relationship is not at the customer's election; for example, if a licensee acquires or is

assigned a customer's policy from another licensee or residual market mechanism and the customer does not have a

choice about the licensee's acquisition or assignment.

(2) Providing notice not later than when the licensee establishes a customer relationship would substantially delay the

customer's transaction; for example, when the licensee and the individual agree over the telephone to enter into a

customer relationship involving prompt delivery of the insurance product or service. In that case, the customer shall

be provided with oral notice of the licensee's privacy policies, provided that the privacy notice is mailed or provided in

electronic form within fourteen (14) business days after the sale, and documentation is maintained showing that oral

disclosure was provided to the customer. For licensees who do not disclose personal information other than as

permitted by California Insurance Code Section 791.13, an oral disclosure is not required.

The customer's transaction is not substantially delayed when the relationship is initiated in person at the licensee's office

or through other means by which the customer may view the notice, such as on a web site.

CA Admin. Code tit. 10 §2689.6. Annual Privacy Notice


In addition to any notice of information practices required by California Insurance Code Section 791.04, licensees shall

provide notice as required by this section. Licensees may provide the notices required by California Insurance Code

Section 791.04 and this section in a single combined notice or in separate notices, so long as all the requirements of

California Insurance Code Section 791.04 and these regulations are satisfied. If a licensee uses a California notice and

another separate notice, the California notice shall clearly state that any rights a consumer, claimant, or beneficiary may

have as described in the California notice are not limited by the standard privacy notice that the licensee also uses.

A licensee shall provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and

practices not less than annually during the continuation of the customer relationship. Annually means at least once in any

period of twelve (12) consecutive months during which that relationship exists. A licensee may define the twelve-

consecutive-month period, but the licensee shall apply it to the customer on a consistent basis. A licensee is not required

to provide an annual notice to a former customer with whom it no longer has a continuing relationship.

CA Admin. Code tit. 10 §2689.7. Information To Be Included In Privacy Notices


(a) The initial, annual and revised privacy notices that a licensee provides under Sections 2689.5, 2689.6, and 2689.9

shall, at a minimum, include each of the following that applies to the licensee and to the consumers to whom the licensee

sends its privacy notice:

(1) The categories of nonpublic personal information that the licensee collects;

(2) The categories of nonpublic personal information that the licensee discloses;

(3) The categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal

information, and the general types of businesses in which the third parties engage if the information is disclosed

pursuant to California Insurance Code Section 791.13(k);

(4) The categories of nonpublic personal information about the licensee's former customers that the licensee discloses

and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal

information about the licensee's former customers, if the information is disclosed pursuant to California Insurance

Code Section 791.13(k);

(5) If a licensee wishes to disclose or reserve the right to disclose nonpublic personal financial information to an

affiliate for marketing purposes without affirmative authorization or the right to opt out of that disclosure, a

statement explaining that the licensee may disclose nonpublic personal financial information to affiliates for marketing

purposes without obtaining prior authorization and the law does not allow customers to restrict that disclosure.

(6) An explanation of the consumer's right to opt out of the disclosure of nonpublic personal financial information to

nonaffiliated third parties, including the methods by which the consumer may exercise that right at that time;



(7) Any disclosures that the licensee makes under Section 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act

(15 U.S.C. 1681a(d)(2)(A)(iii)) regarding the ability to opt out of disclosures of information among affiliates;

(8) The licensee's policies and practices with respect to protecting the confidentiality and security of nonpublic

personal information, including a general description as to who is authorized to have access to the information;

(9) If applicable, a statement that the consumer has the right to access and request correction of recorded nonpublic

personal information and a brief description of the manner in which those rights may be exercised; and

(10) The categories of disclosures that the licensee makes under California Insurance Code Section 791.13.

(11) If applicable, the statement required by California Insurance Code Section 791.04(b)(5).

(12) A licensee does not adequately categorize the information that it discloses if the licensee uses only general

terms, such as transaction information about the consumer.

(b) If prior authorization is not required and a licensee reserves the right to disclose all of the nonpublic personal

information about consumers that it collects, the licensee may simply state that fact without describing the categories or

examples of nonpublic personal information that the licensee discloses.

(c) An abbreviated notice, as provided for in California Insurance Code Section 791.04(c), shall comply with California

Insurance Code Section 791.04(c) and:

(1) Be clear and conspicuous;

(2) Describe a reasonable means by which the consumer may obtain the notice prescribed by California Insurance

Code Section 791.04(b), such as calling a toll-free telephone number to request the notice. If the consumer is

provided the abbreviated notice in person at the licensee's office, the abbreviated notice may state that the licensee

maintains copies of the notice on hand which will be provided to the consumer immediately upon request; and

(3) If applicable, contain an opt-out notice complying with these regulations.

This section does not prohibit the use of multiple links on a website to different categories or levels of information, as

long as they are designed to facilitate rather than impede access.

CA Admin. Code tit. 10 §2689.8. Form Of Opt Out Notice And Opt Out Methods


(a) If a licensee is required to provide an opportunity to opt-out before it shares any nonpublic personal financial

information with a nonaffiliated third party, it shall provide a clear and conspicuous notice to the consumer, that clearly

states in 16-point boldface type "IMPORTANT PRIVACY CHOICES", or similarly highlights the purpose of the notice, so

that the consumer may make a decision and provide direction to the licensee regarding the sharing of his or her

nonpublic personal financial information.

If a licensee provides the opt out notice later than the initial notice, the licensee shall also include, with the opt-out

notice, a copy of the initial notice in writing or, if the consumer agrees, electronically.

The notice shall state that the licensee discloses or reserves the right to disclose nonpublic personal financial information

about its consumers to nonaffiliated third parties, that the consumer has the right to opt out of that disclosure, and set

forth reasonable means by which the consumer may exercise the opt out right.

A licensee provides adequate notice that the consumer can prevent the disclosure of nonpublic personal financial

information to a nonaffiliated third party if the licensee (1) identifies all of the categories of nonpublic personal financial

information which it discloses or reserves the right to disclose, (2) all of the categories of nonaffiliated third parties to

which it discloses the information, (3) states that the consumer can prevent the disclosure of that information, and

identifies the insurance products or services that the consumer obtains from the licensee to which the opt out direction

would apply.

A licensee provides a reasonable means to exercise an opt out right if it designates check-off boxes in a prominent

position on the relevant forms with the opt out notice; includes a reply form together with the opt-out notice; provides

an electronic means to opt out, such as a form that can be sent via electronic mail or a process at the licensee's web site,

if the consumer agrees to the electronic delivery of information. Unless the consumer agrees to an electronic opt-out

method, the licensee shall provide a self-addressed postage prepaid return envelope or a toll-free telephone number that

consumers may use to opt out.

A licensee does not provide a reasonable means of opting out if, for example, the only means of opting out is for the

consumer to write his or her own letter to exercise that opt out right, or the only means of opting out as described in any

notice subsequent to the initial notice is to use a check-off box that the licensee provided with the initial notice but did

not include with the subsequent notice.



(b) If a licensee mails the opt-out notice with information that is not a bill or renewal offer, the opt-out notice shall be

the first page of the mailing.

(c) A licensee is not subject to the notice and opt out requirements for nonpublic personal financial information if the

licensee is an employee or agent of another licensee ("the principal") and:

(1) The principal otherwise complies with, and provides the required notices; and

(2) The licensee does not disclose any nonpublic personal financial information to any person other than the principal

or its affiliates in a manner permitted by California Insurance Code Sections 791-791.27 or these regulations.

For purposes of these regulations, “agent” is defined in California Insurance Code Section 791.02(c) to include any

person licensed pursuant to Chapters 5, 5A, 6, 7, or 8 and thus includes an insurance broker.

(d) When a consumer has declined to exercise the right to opt out in accordance with this section, the nonpublic personal

financial information disclosed:

(1) May not exceed the scope of disclosure stated in the licensee's opt-out notice;

(2) May not include account number, or policy number information; and

(3) Shall comply with California Insurance Code Section 791.13(k)(1).

(e) If two or more consumers jointly obtain an insurance product or service from a licensee, the licensee may provide a

single opt out notice, as long as the licensee gives clear and conspicuous notice that the notice is being provided on a

joint basis and the consumers have given the licensee a single address of record or the licensee has other reasonable

basis to believe that the notice will be adequately communicated to each individual entitled to receive notice.

The licensee's opt out notice shall explain how the licensee will treat an opt out direction by a joint consumer. Any of the

joint consumers may exercise the right to opt out. The licensee may either treat an opt out direction by a joint consumer

as applying to all of the associated joint consumers or permit each joint consumer to opt out separately. If a licensee

permits each joint consumer to opt out separately, the licensee shall permit one of the joint consumers to opt out on

behalf of all of the joint consumers. A licensee may not require all joint consumers to opt out before it implements any

opt out direction. If one joint policyholder opts out and the other does not, the licensee may only disclose nonpublic

personal financial information about the policyholder who did not opt out and may not disclose information relating to the

policyholders jointly.

(f) A consumer may exercise the right to opt out at any time. A licensee may share marketing information with

nonaffiliated third parties if a consumer does not respond within 30 days. A licensee shall not share information for

marketing purposes before the conclusion of the 30-day time period. If a consumer provides an opt-out direction after

the licensee has begun sharing nonpublic personal financial information, the licensee shall comply with the opt-out

direction no later than 30 days after the licensee receives the opt out direction.

(g) A consumer's direction to opt out under this section is effective until the consumer revokes it in writing or

electronically, at the consumer's choice.

When a customer relationship terminates, the customer's opt out direction continues to apply to the nonpublic personal

financial information that the licensee collected during or related to that relationship. If the individual subsequently

establishes a new customer relationship with the licensee, the opt out direction that applied to the former relationship

does not apply to the new relationship.

(h) Any authorized representative may opt out on behalf of the consumer. A licensee receiving notice that a consumer

has opted out shall not require proof of authorization unless it has a reasonable basis for believing that the person

submitting the opt-out direction was acting contrary to the wishes of the consumer.

CA Admin. Code tit. 10 §2689.9. Revised Privacy Notices


(a) Except as otherwise authorized, a licensee shall not, directly or through an affiliate, disclose any nonpublic personal

information about a consumer to a nonaffiliated third party other than as described in the notice provided to that

consumer unless:

(1) The licensee has provided to the consumer a clear and conspicuous revised notice that accurately describes its

policies and practices;

(2) The licensee has provided to the consumer a new opt out notice which complies with section 2689.8 and;

(3) The consumer does not opt out in accordance with section 2689.8.



CA Admin. Code tit. 10 §2689.10. Delivery Of Notices


(a) A licensee shall provide any required notices, including notices provided at the consumer's request, so that each

consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically.

Notices must be made available in a form capable of retention by the consumer.

A licensee may reasonably expect that a consumer will receive actual notice if the licensee, for example:

(1) Hand-delivers a printed copy of the notice to the consumer;

(2) Mails a printed copy of the notice to the last known address of the consumer separately, or in a policy, billing or

other written communication;

(3) For a consumer who conducts transactions electronically, posts the notice on the electronic site in accordance with

section 2689.4(a) and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining a

particular insurance product or service;

(4) For an isolated transaction with a consumer, such as the licensee providing an insurance quote or selling the

consumer travel insurance, posts the notice in a conspicuous location and requires the consumer to acknowledge

receipt of the notice as a necessary step to obtaining the particular insurance product or service.

A licensee may not reasonably expect that a consumer will receive actual notice if it:

(5) Only posts a sign in its office or generally publishes advertisements of its privacy policies and practices; or

(6) Sends the notice via electronic mail to a consumer who does not obtain an insurance product or service from the

licensee electronically.

(b) A licensee may not provide any notice required by these regulations solely by orally explaining the notice, either in

person or over the telephone.

Article 3. Limits On Disclosures Of Medical Record Information

CA Admin. Code tit. 10 §2689.11. Disclosure Of Medical Record Information


(a) A licensee shall not disclose nonpublic personal medical record information about a consumer to affiliated or

nonaffiliated third parties without the consumer's prior written authorization.

(b) This section does not prohibit or restrict the disclosure of nonpublic personal medical record information as permitted

by California Insurance Code Section 791.13 or require an authorization for disclosure of nonpublic personal medical

record information other than as required by California Insurance Code Section 791.13.

Article 4. Standards For Safeguarding Nonpublic Personal Information

CA Admin. Code tit. 10 §2689.12. General Provisions


(a) This article establishes standards for developing and implementing administrative, technical, and physical safeguards

to protect the security, confidentiality, and integrity of nonpublic personal information, pursuant to California Insurance

Code Section 791 and sections 501, 505(b), and 507, codified at 15 U.S.C. 6801, 6805(b) and 6807, of GLBA.

(b) The actions and procedures described in sections 2689.16, 2689.17, 2689.18, and 2689.19 are examples of methods

of implementation of the requirements of sections 2689.14 and 2689.15. These examples are non-exclusive illustrations

of actions and procedures that licensees may follow to implement sections 2689.14 and 2689.15 of these regulations.



For purposes of this article, the following definitions apply:

(a) "Customer information systems" means the electronic or physical methods used to access, collect, store, use,

transmit, protect, or dispose of nonpublic personal information, whether that information is maintained in paper,

electronic, or other form.

(b) "Service provider" means any person or entity that maintains, processes, or otherwise is permitted access to

customer information through its provision of services directly to the licensee.



CA Admin. Code tit. 10 §2689.14. Information Security Program


Each licensee shall implement a comprehensive written information security program that includes administrative,

technical and physical safeguards for the protection of customer information. The administrative, technical, and physical

safeguards included in the information security program shall be appropriate to the size and complexity of the licensee

and the nature and scope of its activities.

CA Admin. Code tit. 10 §2689.15. Objectives Of Information Security Program


A licensee's information security program shall be designed to:

(a) Ensure the security and confidentiality of customer information;

(b) Protect against any anticipated threats or hazards to the security or integrity of such information; and

(c) Protect against unauthorized access to or use of such information that could result in substantial harm or

inconvenience to any customer.

CA Admin. Code tit. 10 §2689.16. Assess Risk


The licensee:

(a) Identifies reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse,

alteration, or destruction of customer information or customer information systems;

(b) Assesses the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer

information; and

(c) Assesses the sufficiency of policies, procedures, customer information systems, and other safeguards in place to

control risks.

CA Admin. Code tit. 10 §2689.17. Manage And Control Risk


The licensee:

(a) Designs its information security program to control the identified risks, commensurate with the sensitivity of the

information as well as the complexity and scope of the licensee's activities.

(b) Trains staff, as appropriate, to implement the licensee's information security program; and

(c) Regularly tests or otherwise regularly monitors the key controls, systems and procedures of the information security

program. The frequency and nature of the tests are determined by the licensee's risk assessment.

CA Admin. Code tit. 10 §2689.18. Service Providers


The licensee:

(a) Exercises appropriate due diligence in selecting its service providers; and

(b) Requires its service providers, by contract, to implement appropriate measures designed to meet the objectives of

this article, and, where indicated by the licensee's risk assessment, takes appropriate steps to confirm that its service

providers have satisfied such obligations.

CA Admin. Code tit. 10 §2689.19. Adjust The Program


A licensee monitors, evaluates, and adjusts, as appropriate, the information security program in light of any relevant

changes in technology, the sensitivity of its customer information, internal or external threats to information, and the

licensee's own changing business arrangements, such as mergers and acquisitions, outsourcing arrangements, and

changes to customer information systems.



CA Admin. Code tit. 10 §2689.20. Enforcement


The Commissioner shall audit a licensee's compliance with this article in a manner and with such frequency as the

Commissioner deems necessary. Violations of this article are subject to California Insurance Code Section 791.15, et seq.

and any other enforcement provisions available to the Commissioner.

Article 5. Additional Provisions

CA Admin. Code tit. 10 §2689.21. Protection Of Fair Credit Reporting Act


Nothing in these regulations shall be construed to modify, limit or supersede the operation of the federal Fair Credit

Reporting Act (15 U.S.C. 1681 et seq.), and no inference shall be drawn on the basis of the provisions of these

regulations regarding whether information is transaction or experience information under Section 603 of that Act.

CA Admin. Code tit. 10 §2689.22. Nondiscrimination


A licensee shall not unfairly discriminate against any consumer or customer because that consumer or customer has

opted out from the disclosure of his or her nonpublic personal information pursuant to the provisions of these

regulations.

A licensee shall not unfairly discriminate against a consumer or customer because that consumer or customer has not

granted authorization for the disclosure of his or her nonpublic personal medical record information pursuant to the

provisions of these regulations.

As used in this section, "unfairly discriminate" includes denying a consumer or customer a product or service because he

or she has not provided the consent required to authorize the financial institution to disclose or share his or her nonpublic

personal information as provided in California Insurance Code Section 791.13(k).

CA Admin. Code tit. 10 §2689.23. Severability


If any section or portion of a section of these regulations or its applicability to any person or circumstance is held invalid

by a court, the remainder of the regulation or the applicability of the provision to other persons or circumstances shall

not be affected.

CA Admin. Code tit. 10 §2689.24. Effective Date; Contracts With Nonaffiliated Third Parties [Sample Clauses]


These regulations are effective one hundred and twenty (120) days after they are filed with the Secretary of State. If

that day falls on a Saturday, Sunday, or any holiday set forth in California Government Code Section 6700, the

regulations shall become effective on the next business day.

Within 90 days of the effective date of these regulations, all contracts that a licensee enters into or has entered into with

a nonaffiliated third party to perform services for the licensee or functions on the licensee's behalf shall include or be

amended to include a written requirement that the third party maintain the confidentiality of nonpublic personal

information where the nonaffiliated third party obtains confidential nonpublic personal information in connection with the

contract.

Appendix A. Sample Clauses

If applicable, a licensee may use the following sample clauses in its notices. A group of financial holding company

affiliates using a common privacy notice may use these clauses if accurate for each company. These clauses are not

exclusive. (Note that disclosure of certain information, such as assets, income and information from a consumer

reporting agency, may result in obligations under the federal Fair Credit Reporting Act.)

Categories of information collected

The following language may be used to describe the categories of personal information collected.

We collect personal information about you from:

• Applications or other forms you complete;



• Your business dealings with us and other companies; and

• Consumer reporting agencies.

Categories of information disclosed

The following language may be used to describe the categories of personal information disclosed.

Alternative 1:

We may disclose the following personal information about you:

• Information from your application or other forms, such as your name, address, social security number, assets,

income, and beneficiaries;

• Information about your transactions with us, our affiliates or others, such as your policy coverage, premiums, and

payment history; and

• Information from consumer reporting agencies, such as your credit history.

Alternative 2:

We may disclose all the information that we collect about you.

To whom information is disclosed

The following language may be used to describe the persons to whom the licensee discloses information.

Alternative 1:

We do not disclose any personal information about you to anyone unless allowed by law. The law allows us to share your

financial information with our affiliates to market products or services to you. You cannot prevent those disclosures.

Alternative 2:

We may disclose personal information about you to:

• Financial companies, such as life insurers, automobile insurers, mortgage bankers, securities broker-dealers, and

insurance agents;

• Companies, such as retailers, direct marketers, airlines, and publishers; and

• Others, such as non-profit organizations.

Alternative 3:

We may also disclose personal information about you as allowed by law. The law allows us to share your financial

information with our affiliates to market products or services to you. You cannot prevent those disclosures.

Explanation of opt out right

The following language may be used to explain the consumer's right to opt out of the disclosure of personal financial

information to nonaffiliated third parties and how the consumer may exercise that right, when the licensee discloses

personal information as permitted by California Insurance Code Section 791.13(k)(2).

If you don't want us to disclose personal information about you to nonaffiliated companies, you may tell us so. This is

known as "opting out". If you wish to opt out, call us at 1-800___-____ or complete and return the enclosed form. We

may share information about you if we do not hear from you within 30 days. However, you may opt-out at any time. Just

call or write us. Even if you opt-out, we may still disclose information as allowed by law. This includes disclosing

information to our affiliates to market other products or services to you.

Confidentiality and security

The following language may be used to describe how a licensee protects the confidentiality and security of personal

information.

We protect your nonpublic personal information. The only employees who have access to that information are those who

must have it to provide products or services to you.




CA Notice 3-27-2003. Department Of Insurance Privacy Regulations

March 27, 2003

This Notice is to remind all insurance institutions, agents, and insurance support organizations ("licensees") subject to

the provisions of the California Insurance Information and Privacy Protection Act (California Insurance Code Sections

791 - 791.27) and the privacy provisions of the Federal Gramm-Leach-Bliley Financial Services Modernization Act that

California's regulations governing the Privacy of Nonpublic Personal Information took effect on March 24, 2003. Those

regulations are set forth at Title 10, California Code of Regulations, Sections 2689.1 through 2689.24. A copy of the

regulations is available here. [Ed Note: Please see text of cited regulation above.]

In summary, the regulations provide:

Licensees generally must provide consumers with a Notice describing the licensee's privacy practices at the time of

policy application and annually thereafter.

All Notices must clearly and conspicuously describe the categories of personal information collected about individuals,

the categories of personal information disclosed about individuals, and the categories of third parties who may

receive that information.

If a licensee wishes to disclose personal financial information to nonaffiliated third parties, the licensee must provide

a clear and conspicuous Opt-Out Notice and a cost-free method for the consumer to reply.

The regulations clarify what constitutes a clear and conspicuous notice.

Insurance producers are responsible for providing notices only if they collect or disclose information in ways other

than as set forth in the insurer's notice.

Nonpublic personal medical record information may not be disclosed without prior written consent.

Standards are required for the safeguarding of nonpublic personal information.

Licensees not in compliance with all applicable provisions may be subject to enforcement action in accordance with

California Insurance Code Section 791.15 and any other enforcement provisions available to the Commissioner.

Any questions regarding this Notice or the specific requirements of the regulations can be addressed to:

Mary Ann Shulman

Staff Counsel

California Department of Insurance

Legal Division, Rate Enforcement Bureau

45 Fremont Street, 21st Floor

San Francisco, CA 94105

(415) 538-4133

CA Notice 5-16-2014. Notification Of Improper Personal Information Disclosures And Security Breaches

May 16, 2014

The purpose of this Notice is to inform admitted insurers, insurance producers, and other interested parties of California's

improper personal information disclosure and security breach notification requirements.

The Insurance Information and Privacy Protection Act (Insurance Code § 791 et seq.) establishes standards for the

collection, use, and disclosure of information gathered by insurers, insurance producers, and insurance support

organizations. The Act restricts the manner in which those persons or entities may disclose the personal or privileged

information of consumers. (Insurance Code § 791.13) The Act vests in the Insurance Commissioner the power to

examine and investigate the affairs of persons or entities engaged in the business of insurance to verify compliance with

the Insurance Information and Privacy Protection Act. (Insurance Code § 791.14)

Applicable law also requires entities that conduct business in California and own or license computerized data that

includes personal information to disclose any breach of the security of the data to California residents when such

residents' unencrypted personal information is reasonably believed to have been acquired by an unauthorized person.

(Civil Code § 1798.82) Effective January 1, 2012, any person or business that is required to issue a security breach

notification to more than 500 California residents shall also submit a sample copy of that security breach notification,

excluding any personally identifiable information, to the Attorney General of the State of California. (Civil Code § 1798.82

(f))



The Insurance Commissioner requests all insurers, insurance producers, and insurance support organizations to provide

to the Insurance Commissioner any notices or information submitted to the Attorney General's Office in accordance with

Civil Code § 1798.82(f). Copies of notices or information should be sent to California Department of Insurance, Attn:

Susan Bernard - Division Chief, Field Examinations, 45 Fremont Street, 24th Floor, San Francisco, CA 94105; email:

[email protected].

Any questions or comments concerning this Notice should be sent to California Department of Insurance, Attn:

Christopher Citko - Senior Staff Counsel, 300 Capitol Mall, 17th Floor, Sacramento, CA 95814; email: christopher.citko

@insurance.ca.gov.

SOCIAL SECURITY NUMBER PRIVACY

CIVIL CODE



TITLE 1.81.1. CONFIDENTIALITY OF SOCIAL SECURITY NUMBERS

CA Civ. Code §1798.85. Prohibited Actions With Respect To Social Security Numbers; Application And

Exceptions; Operative Dates With Respect To Specified Entities


(a) Except as provided in this section, a person or entity may not do any of the following:

(1) Publicly post or publicly display in any manner an individual's social security number. "Publicly post" or "publicly

display" means to intentionally communicate or otherwise make available to the general public.

(2) Print an individual's social security number on any card required for the individual to access products or services

provided by the person or entity.

(3) Require an individual to transmit his or her social security number over the Internet, unless the connection is

secure or the social security number is encrypted.

(4) Require an individual to use his or her social security number to access an Internet Web site, unless a password

or unique personal identification number or other authentication device is also required to access the Internet Web

site.

(5) Print an individual's social security number on any materials that are mailed to the individual, unless state or

federal law requires the social security number to be on the document to be mailed. Notwithstanding this paragraph,

social security numbers may be included in applications and forms sent by mail, including documents sent as part of

an application or enrollment process, or to establish, amend or terminate an account, contract or policy, or to confirm

the accuracy of the social security number. A social security number that is permitted to be mailed under this section

may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the

envelope or without the envelope having been opened.

(6) Sell, advertise for sale, or offer to sell an individual's social security number. For purposes of this paragraph, the

following apply:

(A) “Sell” shall not include the release of an individual's social security number if the release of the social security

number is incidental to a larger transaction and is necessary to identify the individual in order to accomplish a

legitimate business purpose. Release of an individual's social security number for marketing purposes is not

permitted.

(B) “Sell” shall not include the release of an individual's social security number for a purpose specifically

authorized or specifically allowed by federal or state law.

(b) This section does not prevent the collection, use, or release of a social security number as required by state or

federal law or the use of a social security number for internal verification or administrative purposes.

(c) This section does not prevent an adult state correctional facility, an adult city jail, or an adult county jail from

releasing an inmate's social security number, with the inmate's consent and upon request by the county veterans service



officer or the United States Department of Veterans Affairs, for the purposes of determining the inmate's status as a

military veteran and his or her eligibility for federal, state, or local veterans' benefits or services.

(d) This section does not apply to documents that are recorded or required to be open to the public pursuant to Chapter

3.5 (commencing with Section 6250), Chapter 14 (commencing with Section 7150) or Chapter 14.5 (commencing with

Section 7220) of Division 7 of Title 1 of, Article 9 (commencing with Section 11120) of Chapter 1 of Part 1 of Division 3 of

Title 2 of, or Chapter 9 (commencing with Section 54950) of Part 1 of Division 2 of Title 5 of, the Government Code. This

section does not apply to records that are required by statute, case law, or California Rule of Court, to be made available

to the public by entities provided for in Article VI of the California Constitution.

(e)(1) In the case of a health care service plan, a provider of health care, an insurer or a pharmacy benefits manager, a

contractor as defined in Section 56.05, or the provision by any person or entity of administrative or other services

relative to health care or insurance products or services, including third-party administration or administrative services

only, this section shall become operative in the following manner:

(A) On or before January 1, 2003, the entities listed in paragraph (1) shall comply with paragraphs (1), (3), (4),

and (5) of subdivision (a) as these requirements pertain to individual policyholders or individual contractholders.

(B) On or before January 1, 2004, the entities listed in paragraph (1) shall comply with paragraphs (1) to (5),

inclusive, of subdivision (a) as these requirements pertain to new individual policyholders or new individual

contractholders and new groups, including new groups administered or issued on or after January 1, 2004.

(C) On or before July 1, 2004, the entities listed in paragraph (1) shall comply with paragraphs (1) to (5),

inclusive, of subdivision (a) for all individual policyholders and individual contractholders, for all groups, and for all

enrollees of the Healthy Families and Medi-Cal programs, except that for individual policyholders, individual

contractholders and groups in existence prior to January 1, 2004, the entities listed in paragraph (1) shall comply

upon the renewal date of the policy, contract, or group on or after July 1, 2004, but no later than July 1, 2005.

(2) A health care service plan, a provider of health care, an insurer or a pharmacy benefits manager, a contractor, or

another person or entity as described in paragraph (1) shall make reasonable efforts to cooperate, through systems

testing and other means, to ensure that the requirements of this article are implemented on or before the dates

specified in this section.

(3) Notwithstanding paragraph (2), the Director of the Department of Managed Health Care, pursuant to the authority

granted under Section 1346 of the Health and Safety Code, or the Insurance Commissioner, pursuant to the authority

granted under Section 12921 of the Insurance Code, and upon a determination of good cause, may grant extensions

not to exceed six months for compliance by health care service plans and insurers with the requirements of this

section when requested by the health care service plan or insurer. Any extension granted shall apply to the health

care service plan or insurer's affected providers, pharmacy benefits manager, and contractors.

(f) If a federal law takes effect requiring the United States Department of Health and Human Services to establish a

national unique patient health identifier program, a provider of health care, a health care service plan, a licensed health

care professional, or a contractor, as those terms are defined in Section 56.05, that complies with the federal law shall

be deemed in compliance with this section.

(g) A person or entity may not encode or embed a social security number in or on a card or document, including, but not

limited to, using a barcode, chip, magnetic strip, or other technology, in place of removing the social security number, as

required by this section.

(h) This section shall become operative, with respect to the University of California, in the following manner:

(1) On or before January 1, 2004, the University of California shall comply with paragraphs (1), (2), and (3) of

subdivision (a).

(2) On or before January 1, 2005, the University of California shall comply with paragraphs (4) and (5) of

subdivision (a).

(i) This section shall become operative with respect to the Franchise Tax Board on January 1, 2007.

(j) This section shall become operative with respect to the California community college districts on January 1, 2007.

(k) This section shall become operative with respect to the California State University system on July 1, 2005.

(l) This section shall become operative, with respect to the California Student Aid Commission and its auxiliary

organization, in the following manner:

(1) On or before January 1, 2004, the commission and its auxiliary organization shall comply with paragraphs (1),

(2), and (3) of subdivision (a).



(2) On or before January 1, 2005, the commission and its auxiliary organization shall comply with paragraphs (4)

and (5) of subdivision (a).

CA Civ. Code §1798.89. Recording Or Filing Of Documents; Display Of Social Security Numbers; Due Diligence

In Using Truncated Social Security Numbers


(a) Unless otherwise required to do so by state or federal law, no person, entity, or governmental agency shall present

for recording or filing with a county recorder a document that is required by any provision of law to be open to the public

if that record displays more than the last four digits of a social security number. Unless otherwise authorized by state or

federal law, a document containing more than the last four digits of a social security number is not entitled for recording.

(b) A recorder shall be deemed to be in compliance with the requirements of this section if he or she uses due diligence

to truncate social security numbers in documents recorded, as provided in Article 3.5 (commencing with Section 27300)

of Chapter 6 of Part 3 of Division 2 of Title 3 of the Government Code.

(c) This section shall not apply to documents created prior to January 1, 2010.

INFORMATION SECURITY AND SAFEGUARDS

CIVIL CODE



TITLE 1.81. CUSTOMER RECORDS



The following definitions apply to this title:

(a) "Business" means a sole proprietorship, partnership, corporation, association, or other group, however organized and

whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license

or authorization certificate under the law of this state, any other state, the United States, or of any other country, or the

parent or the subsidiary of a financial institution. The term includes an entity that disposes of records.

(b) "Records" means any material, regardless of the physical form, on which information is recorded or preserved by any

means, including in written or spoken words, graphically depicted, printed, or electromagnetically transmitted. "Records"

does not include publicly available directories containing information an individual has voluntarily consented to have

publicly disseminated or listed, such as name, address, or telephone number.

(c) "Customer" means an individual who provides personal information to a business for the purpose of purchasing or

leasing a product or obtaining a service from the business.

(d) "Individual" means a natural person.

(e) "Personal information" means any information that identifies, relates to, describes, or is capable of being associated

with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical

characteristics or description, address, telephone number, passport number, driver's license or state identification card

number, insurance policy number, education, employment, employment history, bank account number, credit card

number, debit card number, or any other financial information, medical information, or health insurance information.

"Personal information" does not include publicly available information that is lawfully made available to the general public

from federal, state, or local government records.

CA Civ. Code §1798.81. Reasonable Steps For Disposal Of Customer Records


A business shall take all reasonable steps to dispose, or arrange for the disposal of customer records within its custody or

control containing personal information when the records are no longer to be retained by the business by (a) shredding,



(b) erasing, or (c) otherwise modifying the personal information in those records to make it unreadable or

undecipherable through any means.

CA Civ. Code §1798.81.5. Security Procedures And Practices With Respect To Personal Information About

California Residents


(a)(1) It is the intent of the Legislature to ensure that personal information about California residents is protected. To

that end, the purpose of this section is to encourage businesses that own, license, or maintain personal information

about Californians to provide reasonable security for that information.

(2) For the purpose of this section, the terms "own" and "license" include personal information that a business retains

as part of the business' internal customer account or for the purpose of using that information in transactions with the

person to whom the information relates. The term "maintain" includes personal information that a business maintains

but does not own or license.

(b) A business that owns, licenses, or maintains personal information about a California resident shall implement and

maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the

personal information from unauthorized access, destruction, use, modification, or disclosure.

(c) A business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated

third party that is not subject to subdivision (b) shall require by contract that the third party implement and maintain

reasonable security procedures and practices appropriate to the nature of the information, to protect the personal

information from unauthorized access, destruction, use, modification, or disclosure.

(d) For purposes of this section, the following terms have the following meanings:

(1) "Personal information" means either of the following:

(A) An individual's first name or first initial and his or her last name in combination with any one or more of the

following data elements, when either the name or the data elements are not encrypted or redacted:

(i) Social security number.

(ii) Driver's license number or California identification card number.

(iii) Account number, credit or debit card number, in combination with any required security code, access

code, or password that would permit access to an individual's financial account.

(iv) Medical information.

(v) Health insurance information.

(B) A username or email address in combination with a password or security question and answer that would

permit access to an online account.

(2) "Medical information" means any individually identifiable information, in electronic or physical form, regarding the

individual's medical history or medical treatment or diagnosis by a health care professional.

(3) "Health insurance information" means an individual's insurance policy number or subscriber identification number,

any unique identifier used by a health insurer to identify the individual, or any information in an individual's

application and claims history, including any appeals records.

(4) "Personal information" does not include publicly available information that is lawfully made available to the

general public from federal, state, or local government records.

(e) The provisions of this section do not apply to any of the following:

(1) A provider of health care, health care service plan, or contractor regulated by the Confidentiality of Medical

Information Act (Part 2.6 (commencing with Section 56) of Division 1).

(2) A financial institution as defined in Section 4052 of the Financial Code and subject to the California Financial

Information Privacy Act (Division 1.2 (commencing with Section 4050) of the Financial Code.

(3) A covered entity governed by the medical privacy and security rules issued by the federal Department of Health

and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the

Health Insurance Portability and Availability Act of 1996 (HIPAA).

(4) An entity that obtains information under an agreement pursuant to Article 3 (commencing with Section 1800) of

Chapter 1 of Division 2 of the Vehicle Code and is subject to the confidentiality requirements of the Vehicle Code.



(5) A business that is regulated by state or federal law providing greater protection to personal information than that

provided by this section in regard to the subjects addressed by this section. Compliance with that state or federal law

shall be deemed compliance with this section with regard to those subjects. This paragraph does not relieve a

business from a duty to comply with any other requirements of other state and federal law regarding the protection

and privacy of personal information.

CA Civ. Code §1798.82. Person Or Business Who Owns Or Licenses Computerized Data Including Person

Information; Breach Of Security Of The System; Disclosure Requirements†

[Last amended by Laws 2016, Ch. 86 (S.B. 1171), §21; Ch. 337 (A.B. 2828), §2.]

(a) A person or business that conducts business in California, and that owns or licenses computerized data that includes

personal information, shall disclose a breach of the security of the system following discovery or notification of the breach

in the security of the data to a resident of California (1) whose unencrypted personal information was, or is reasonably

believed to have been, acquired by an unauthorized person, or, (2) whose encrypted personal information was, or is

reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was,

or is reasonably believed to have been, acquired by an unauthorized person and the person or business that owns or

licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that

personal information readable or useable. The disclosure shall be made in the most expedient time possible and without

unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any

measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

(b) A person or business that maintains computerized data that includes personal information that the person or business

does not own shall notify the owner or licensee of the information of the breach of the security of the data immediately

following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized

person.

(c) The notification required by this section may be delayed if a law enforcement agency determines that the notification

will impede a criminal investigation. The notification required by this section shall be made promptly after the law

enforcement agency determines that it will not compromise the investigation.

(d) A person or business that is required to issue a security breach notification pursuant to this section shall meet all of

the following requirements:

(1) The security breach notification shall be written in plain language, shall be titled "Notice of Data Breach," and

shall present the information described in paragraph (2) under the following headings: "What Happened," "What

Information Was Involved," "What We Are Doing," "What You Can Do," and "For More Information." Additional

information may be provided as a supplement to the notice.

(A) The format of the notice shall be designed to call attention to the nature and significance of the information it

contains.

(B) The title and headings in the notice shall be clearly and conspicuously displayed.

(C) The text of the notice and any other notice provided pursuant to this section shall be no smaller than 10-point

type.

(D) For a written notice described in paragraph (1) of subdivision (j), use of the model security breach notification

form prescribed below or use of the headings described in this paragraph with the information described in

paragraph (2), written in plain language, shall be deemed to be in compliance with this subdivision.

[NAME OF INSTITUTION / LOGO] Date: [insert date]

NOTICE OF DATA BREACH

What Happened?

What Information Was Involved?

What We Are Doing.

What You Can Do.

Other Important Information. [insert other important information]

For More Information. Call [telephone number] or go to [Internet Web site]

(E) For an electronic notice described in paragraph (2) of subdivision (j), use of the headings described in this

paragraph with the information described in paragraph (2), written in plain language, shall be deemed to be in

compliance with this subdivision.



(2) The security breach notification described in paragraph (1) shall include, at a minimum, the following information:

(A) The name and contact information of the reporting person or business subject to this section.

(B) A list of the types of personal information that were or are reasonably believed to have been the subject of a

breach.

(C) If the information is possible to determine at the time the notice is provided, then any of the following: (i) the

date of the breach, (ii) the estimated date of the breach, or (iii) the date range within which the breach occurred.

The notification shall also include the date of the notice.

(D) Whether notification was delayed as a result of a law enforcement investigation, if that information is possible

to determine at the time the notice is provided.

(E) A general description of the breach incident, if that information is possible to determine at the time the notice

is provided.

(F) The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a

social security number or a driver's license or California identification card number.

(G) If the person or business providing the notification was the source of the breach, an offer to provide

appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected

person for not less than 12 months, along with all information necessary to take advantage of the offer to any

person whose information was or may have been breached if the breach exposed or may have exposed personal

information defined in subparagraphs (A) and (B) of paragraph (1) of subdivision (h).

(3) At the discretion of the person or business, the security breach notification may also include any of the following:

(A) Information about what the person or business has done to protect individuals whose information has been

breached.

(B) Advice on steps that the person whose information has been breached may take to protect himself or herself.

(e) A covered entity under the federal Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Sec. 1320d

et seq.) will be deemed to have complied with the notice requirements in subdivision (d) if it has complied completely

with Section 13402(f) of the federal Health Information Technology for Economic and Clinical Health Act (Public Law

111-5). However, nothing in this subdivision shall be construed to exempt a covered entity from any other provision of

this section.

(f) A person or business that is required to issue a security breach notification pursuant to this section to more than 500

California residents as a result of a single breach of the security system shall electronically submit a single sample copy

of that security breach notification, excluding any personally identifiable information, to the Attorney General. A single

sample copy of a security breach notification shall not be deemed to be within subdivision (f) of Section 6254 of the

Government Code.

(g) For purposes of this section, "breach of the security of the system" means unauthorized acquisition of computerized

data that compromises the security, confidentiality, or integrity of personal information maintained by the person or

business. Good faith acquisition of personal information by an employee or agent of the person or business for the

purposes of the person or business is not a breach of the security of the system, provided that the personal information

is not used or subject to further unauthorized disclosure.

(h) For purposes of this section, "personal information" means either of the following:

(1) An individual's first name or first initial and last name in combination with any one or more of the following data

elements, when either the name or the data elements are not encrypted:

(A) Social security number.

(B) Driver's license number or California identification card number.

(C) Account number or credit or debit card number, in combination with any required security code, access code,

or password that would permit access to an individual's financial account.

(D) Medical information.

(E) Health insurance information.

(F) Information or data collected through the use or operation of an automated license plate recognition system,

as defined in Section 1798.90.5.

(2) A user name or email address, in combination with a password or security question and answer that would permit

access to an online account.



(i)(1) For purposes of this section, "personal information" does not include publicly available information that is lawfully

made available to the general public from federal, state, or local government records.

(2) For purposes of this section, "medical information" means any information regarding an individual's medical

history, mental or physical condition, or medical treatment or diagnosis by a health care professional.

(3) For purposes of this section, "health insurance information" means an individual's health insurance policy number

or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any

information in an individual's application and claims history, including any appeals records.

(4) For purposes of this section, "encrypted" means rendered unusable, unreadable, or indecipherable to an

unauthorized person through a security technology or methodology generally accepted in the field of information

security.

(j) For purposes of this section, "notice" may be provided by one of the following methods:

(1) Written notice.

(2) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and

signatures set forth in Section 7001 of Title 15 of the United States Code.

(3) Substitute notice, if the person or business demonstrates that the cost of providing notice would exceed two

hundred fifty thousand dollars ($250,000), or that the affected class of subject persons to be notified exceeds

500,000, or the person or business does not have sufficient contact information. Substitute notice shall consist of all

of the following:

(A) Email notice when the person or business has an email address for the subject persons.

(B) Conspicuous posting, for a minimum of 30 days, of the notice on the Internet Web site page of the person or

business, if the person or business maintains one. For purposes of this subparagraph, conspicuous posting on the

person's or business's Internet Web site means providing a link to the notice on the home page or first significant

page after entering the Internet Web site that is in larger type than the surrounding text, or in contrasting type,

font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by

symbols or other marks that call attention to the link.

(C) Notification to major statewide media.

(4) In the case of a breach of the security of the system involving personal information defined in paragraph (2) of

subdivision (h) for an online account, and no other personal information defined in paragraph (1) of subdivision (h),

the person or business may comply with this section by providing the security breach notification in electronic or

other form that directs the person whose personal information has been breached promptly to change his or her

password and security question or answer, as applicable, or to take other steps appropriate to protect the online

account with the person or business and all other online accounts for which the person whose personal information

has been breached uses the same user name or email address and password or security question or answer.

(5) In the case of a breach of the security of the system involving personal information defined in paragraph (2) of

subdivision (h) for login credentials of an email account furnished by the person or business, the person or business

shall not comply with this section by providing the security breach notification to that email address, but may,

instead, comply with this section by providing notice by another method described in this subdivision or by clear and

conspicuous notice delivered to the resident online when the resident is connected to the online account from an

Internet Protocol address or online location from which the person or business knows the resident customarily

accesses the account.

(k) For purposes of this section, “encryption key” and “security credential” mean the confidential key or process designed

to render data useable, readable, and decipherable.

(l) Notwithstanding subdivision (j), a person or business that maintains its own notification procedures as part of an

information security policy for the treatment of personal information and is otherwise consistent with the timing

requirements of this part, shall be deemed to be in compliance with the notification requirements of this section if the

person or business notifies subject persons in accordance with its policies in the event of a breach of security of the

system.

CA Civ. Code §1798.83. Personal Information; Disclosure To Direct Marketers


(a) Except as otherwise provided in subdivision (d), if a business has an established business relationship with a

customer and has within the immediately preceding calendar year disclosed personal information that corresponds to any

of the categories of personal information set forth in paragraph (6) of subdivision (e) to third parties, and if the business



knows or reasonably should know that the third parties used the personal information for the third parties' direct

marketing purposes, that business shall, after the receipt of a written or electronic mail request, or, if the business

chooses to receive requests by toll-free telephone or facsimile numbers, a telephone or facsimile request from the

customer, provide all of the following information to the customer free of charge:

(1) In writing or by electronic mail, a list of the categories set forth in paragraph (6) of subdivision (e) that

correspond to the personal information disclosed by the business to third parties for the third parties' direct

marketing purposes during the immediately preceding calendar year.

(2) In writing or by electronic mail, the names and addresses of all of the third parties that received personal

information from the business for the third parties' direct marketing purposes during the preceding calendar year

and, if the nature of the third parties' business cannot reasonably be determined from the third parties' name,

examples of the products or services marketed, if known to the business, sufficient to give the customer a reasonable

indication of the nature of the third parties' business.

(b)(1) A business required to comply with this section shall designate a mailing address, electronic mail address, or, if

the business chooses to receive requests by telephone or facsimile, a toll-free telephone or facsimile number, to which

customers may deliver requests pursuant to subdivision (a). A business required to comply with this section shall, at its

election, do at least one of the following:

(A) Notify all agents and managers who directly supervise employees who regularly have contact with customers

of the designated addresses or numbers or the means to obtain those addresses or numbers and instruct those

employees that customers who inquire about the business's privacy practices or the business's compliance with

this section shall be informed of the designated addresses or numbers or the means to obtain the addresses or

numbers.

(B) Add to the home page of its Web site a link either to a page titled "Your Privacy Rights" or add the words

"Your Privacy Rights" to the home page's link to the business's privacy policy. If the business elects to add the

words "Your Privacy Rights" to the link to the business's privacy policy, the words "Your Privacy Rights" shall be in

the same style and size as the link to the business's privacy policy. If the business does not display a link to its

privacy policy on the home page of its Web site, or does not have a privacy policy, the words "Your Privacy

Rights" shall be written in larger type than the surrounding text, or in contrasting type, font, or color to the

surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other

marks that call attention to the language. The first page of the link shall describe a customer's rights pursuant to

this section and shall provide the designated mailing address, e-mail address, as required, or toll-free telephone

number or facsimile number, as appropriate. If the business elects to add the words "Your California Privacy

Rights" to the home page's link to the business's privacy policy in a manner that complies with this subdivision,

and the first page of the link describes a customer's rights pursuant to this section, and provides the designated

mailing address, electronic mailing address, as required, or toll-free telephone or facsimile number, as

appropriate, the business need not respond to requests that are not received at one of the designated addresses

or numbers.

(C) Make the designated addresses or numbers, or means to obtain the designated addresses or numbers, readily

available upon request of a customer at every place of business in California where the business or its agents

regularly have contact with customers.

The response to a request pursuant to this section received at one of the designated addresses or numbers shall be

provided within 30 days. Requests received by the business at other than one of the designated addresses or

numbers shall be provided within a reasonable period, in light of the circumstances related to how the request was

received, but not to exceed 150 days from the date received.

(2) A business that is required to comply with this section and Section 6803 of Title 15 of the United States Code may

comply with this section by providing the customer the disclosure required by Section 6803 of Title 15 of the United

States Code, but only if the disclosure also complies with this section.

(3) A business that is required to comply with this section is not obligated to provide information associated with

specific individuals and may provide the information required by this section in standardized format.

(c)(1) A business that is required to comply with this section is not obligated to do so in response to a request from a

customer more than once during the course of any calendar year. A business with fewer than 20 full-time or part- time

employees is exempt from the requirements of this section.

(2) If a business that is required to comply with this section adopts and discloses to the public, in its privacy policy, a

policy of not disclosing personal information of customers to third parties for the third parties' direct marketing

purposes unless the customer first affirmatively agrees to that disclosure, or of not disclosing the personal

information of customers to third parties for the third parties' direct marketing purposes if the customer has exercised

an option that prevents that information from being disclosed to third parties for those purposes, as long as the



business maintains and discloses the policies, the business may comply with subdivision (a) by notifying the customer

of his or her right to prevent disclosure of personal information, and providing the customer with a cost-free means to

exercise that right.

(d) The following are among the disclosures not deemed to be disclosures of personal information by a business for a

third party's direct marketing purposes for purposes of this section:

(1) Disclosures between a business and a third party pursuant to contracts or arrangements pertaining to any of the

following:

(A) The processing, storage, management, or organization of personal information, or the performance of services

on behalf of the business during which personal information is disclosed, if the third party that processes, stores,

manages, or organizes the personal information does not use the information for a third party's direct marketing

purposes and does not disclose the information to additional third parties for their direct marketing purposes.

(B) Marketing products or services to customers with whom the business has an established business relationship

where, as a part of the marketing, the business does not disclose personal information to third parties for the

third parties' direct marketing purposes.

(C) Maintaining or servicing accounts, including credit accounts and disclosures pertaining to the denial of

applications for credit or the status of applications for credit and processing bills or insurance claims for payment.

(D) Public record information relating to the right, title, or interest in real property or information relating to

property characteristics, as defined in Section 408.3 of the Revenue and Taxation Code, obtained from a

governmental agency or entity or from a multiple listing service, as defined in Section 1087, and not provided

directly by the customer to a business in the course of an established business relationship.

(E) Jointly offering a product or service pursuant to a written agreement with the third party that receives the

personal information, provided that all of the following requirements are met:

(i) The product or service offered is a product or service of, and is provided by, at least one of the businesses

that is a party to the written agreement.

(ii) The product or service is jointly offered, endorsed, or sponsored by, and clearly and conspicuously

identifies for the customer, the businesses that disclose and receive the disclosed personal information.

(iii) The written agreement provides that the third party that receives the personal information is required to

maintain the confidentiality of the information and is prohibited from disclosing or using the information other

than to carry out the joint offering or servicing of a product or service that is the subject of the written

agreement.

(2) Disclosures to or from a consumer reporting agency of a customer's payment history or other information

pertaining to transactions or experiences between the business and a customer if that information is to be reported

in, or used to generate, a consumer report as defined in subdivision (d) of Section 1681a of Title 15 of the United

States Code, and use of that information is limited by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681

et seq.).

(3) Disclosures of personal information by a business to a third party financial institution solely for the purpose of the

business obtaining payment for a transaction in which the customer paid the business for goods or services with a

check, credit card, charge card, or debit card, if the customer seeks the information required by subdivision (a) from

the business obtaining payment, whether or not the business obtaining payment knows or reasonably should know

that the third party financial institution has used the personal information for its direct marketing purposes.

(4) Disclosures of personal information between a licensed agent and its principal, if the personal information

disclosed is necessary to complete, effectuate, administer, or enforce transactions between the principal and the

agent, whether or not the licensed agent or principal also uses the personal information for direct marketing

purposes, if that personal information is used by each of them solely to market products and services directly to

customers with whom both have established business relationships as a result of the principal and agent relationship.

(5) Disclosures of personal information between a financial institution and a business that has a private label credit

card, affinity card, retail installment contract, or cobranded card program with the financial institution, if the personal

information disclosed is necessary for the financial institution to maintain or service accounts on behalf of the

business with which it has a private label credit card, affinity card, retail installment contract, or cobranded card

program, or to complete, effectuate, administer, or enforce customer transactions or transactions between the

institution and the business, whether or not the institution or the business also uses the personal information for

direct marketing purposes, if that personal information is used solely to market products and services directly to

customers with whom both the business and the financial institution have established business relationships as a

result of the private label credit card, affinity card, retail installment contract, or cobranded card program.



(e) For purposes of this section, the following terms have the following meanings:

(1) "Customer" means an individual who is a resident of California who provides personal information to a business

during the creation of, or throughout the duration of, an established business relationship if the business relationship

is primarily for personal, family, or household purposes.

(2) "Direct marketing purposes" means the use of personal information to solicit or induce a purchase, rental, lease,

or exchange of products, goods, property, or services directly to individuals by means of the mail, telephone, or

electronic mail for their personal, family, or household purposes. The sale, rental, exchange, or lease of personal

information for consideration to businesses is a direct marketing purpose of the business that sells, rents, exchanges,

or obtains consideration for the personal information. "Direct marketing purposes" does not include the use of

personal information (A) by bona fide tax exempt charitable or religious organizations to solicit charitable

contributions, (B) to raise funds from and communicate with individuals regarding politics and government, (C) by a

third party when the third party receives personal information solely as a consequence of having obtained for

consideration permanent ownership of accounts that might contain personal information, or (D) by a third party when

the third party receives personal information solely as a consequence of a single transaction where, as a part of the

transaction, personal information had to be disclosed in order to effectuate the transaction.

(3) "Disclose" means to disclose, release, transfer, disseminate, or otherwise communicate orally, in writing, or by

electronic or any other means to any third party.

(4) "Employees who regularly have contact with customers" means employees whose contact with customers is not

incidental to their primary employment duties, and whose duties do not predominantly involve ensuring the safety or

health of the business's customers. It includes, but is not limited to, employees whose primary employment duties

are as cashier, clerk, customer service, sales, or promotion. It does not, by way of example, include employees

whose primary employment duties consist of food or beverage preparation or service, maintenance and repair of the

business's facilities or equipment, direct involvement in the operation of a motor vehicle, aircraft, watercraft,

amusement ride, heavy machinery or similar equipment, security, or participation in a theatrical, literary, musical,

artistic, or athletic performance or contest.

(5) "Established business relationship" means a relationship formed by a voluntary, two-way communication between

a business and a customer, with or without an exchange of consideration, for the purpose of purchasing, renting, or

leasing real or personal property, or any interest therein, or obtaining a product or service from the business, if the

relationship is ongoing and has not been expressly terminated by the business or the customer, or if the relationship

is not ongoing, but is solely established by the purchase, rental, or lease of real or personal property from a business,

or the purchase of a product or service, and no more than 18 months have elapsed from the date of the purchase,

rental, or lease.

(6)(A) The categories of personal information required to be disclosed pursuant to paragraph (1) of subdivision (a)

are all of the following:

(i) Name and address.

(ii) Electronic mail address.

(iii) Age or date of birth.

(iv) Names of children.

(v) Electronic mail or other addresses of children.

(vi) Number of children.

(vii) The age or gender of children.

(viii) Height.

(ix) Weight.

(x) Race.

(xi) Religion.

(xii) Occupation.

(xiii) Telephone number.

(xiv) Education.

(xv) Political party affiliation.

(xvi) Medical condition.



(xvii) Drugs, therapies, or medical products or equipment used.

(xviii) The kind of product the customer purchased, leased, or rented.

(xix) Real property purchased, leased, or rented.

(xx) The kind of service provided.

(xxi) Social security number.

(xxii) Bank account number.

(xxiii) Credit card number.

(xxiv) Debit card number.

(xxv) Bank or investment account, debit card, or credit card balance.

(xxvi) Payment history.

(xxvii) Information pertaining to the customer's creditworthiness, assets, income, or liabilities.

(B) If a list, description, or grouping of customer names or addresses is derived using any of these categories,

and is disclosed to a third party for direct marketing purposes in a manner that permits the third party to identify,

determine, or extrapolate any other personal information from which the list was derived, and that personal

information when it was disclosed identified, described, or was associated with an individual, the categories set

forth in this subdivision that correspond to the personal information used to derive the list, description, or

grouping shall be considered personal information for purposes of this section.

(7) "Personal information" as used in this section means any information that when it was disclosed identified,

described, or was able to be associated with an individual and includes all of the following:

(A) An individual's name and address.

(B) Electronic mail address.

(C) Age or date of birth.

(D) Names of children.

(E) Electronic mail or other addresses of children.

(F) Number of children.

(G) The age or gender of children.

(H) Height.

(I) Weight.

(J) Race.

(K) Religion.

(L) Occupation.

(M) Telephone number.

(N) Education.

(O) Political party affiliation.

(P) Medical condition.

(Q) Drugs, therapies, or medical products or equipment used.

(R) The kind of product the customer purchased, leased, or rented.

(S) Real property purchased, leased, or rented.

(T) The kind of service provided.

(U) Social security number.

(V) Bank account number.

(W) Credit card number.



(X) Debit card number.

(Y) Bank or investment account, debit card, or credit card balance.

(Z) Payment history.

(AA) Information pertaining to creditworthiness, assets, income, or liabilities.

(8) "Third party" or "third parties" means one or more of the following:

(A) A business that is a separate legal entity from the business that has an established business relationship with

a customer.

(B) A business that has access to a database that is shared among businesses, if the business is authorized to use

the database for direct marketing purposes, unless the use of the database is exempt from being considered a

disclosure for direct marketing purposes pursuant to subdivision (d).

(C) A business not affiliated by a common ownership or common corporate control with the business required to

comply with subdivision (a).

(f)(1) Disclosures of personal information for direct marketing purposes between affiliated third parties that share the

same brand name are exempt from the requirements of paragraph (1) of subdivision (a) unless the personal information

disclosed corresponds to one of the following categories, in which case the customer shall be informed of those

categories listed in this subdivision that correspond to the categories of personal information disclosed for direct

marketing purposes and the third party recipients of personal information disclosed for direct marketing purposes

pursuant to paragraph (2) of subdivision (a):

(A) Number of children.

(B) The age or gender of children.

(C) Electronic mail or other addresses of children.

(D) Height.

(E) Weight.

(F) Race.

(G) Religion.

(H) Telephone number.

(I) Medical condition.

(J) Drugs, therapies, or medical products or equipment used.

(K) Social security number.

(L) Bank account number.

(M) Credit card number.

(N) Debit card number.

(O) Bank or investment account, debit card, or credit card balance.

(2) If a list, description, or grouping of customer names or addresses is derived using any of these categories, and is

disclosed to a third party or third parties sharing the same brand name for direct marketing purposes in a manner

that permits the third party to identify, determine, or extrapolate the personal information from which the list was

derived, and that personal information when it was disclosed identified, described, or was associated with an

individual, any other personal information that corresponds to the categories set forth in this subdivision used to

derive the list, description, or grouping shall be considered personal information for purposes of this section.

(3) If a business discloses personal information for direct marketing purposes to affiliated third parties that share the

same brand name, the business that discloses personal information for direct marketing purposes between affiliated

third parties that share the same brand name may comply with the requirements of paragraph (2) of subdivision (a)

by providing the overall number of affiliated companies that share the same brand name.

(g) The provisions of this section are severable. If any provision of this section or its application is held invalid, that

invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or

application.



(h) This section does not apply to a financial institution that is subject to the California Financial Information Privacy Act

(Division 1.2 (commencing with Section 4050) of the Financial Code) if the financial institution is in compliance with

Sections 4052, 4052.5, 4053, 4053.5 and 4054.6 of the Financial Code, as those sections read when they were

chaptered on August 28, 2003, and as subsequently amended by the Legislature or by initiative.

(i) This section shall become operative on January 1, 2005.

CA Civ. Code §1798.84. Waiver And Violations Of Provisions Of This Title; Civil Actions And Penalties;

Disposal Of Abandoned Records Containing Personal Information; Attorney's Fees And Costs


(a) Any waiver of a provision of this title is contrary to public policy and is void and unenforceable.

(b) Any customer injured by a violation of this title may institute a civil action to recover damages.

(c) In addition, for a willful, intentional, or reckless violation of Section 1798.83, a customer may recover a civil penalty

not to exceed three thousand dollars ($3,000) per violation; otherwise, the customer may recover a civil penalty of up to

five hundred dollars ($500) per violation for a violation of Section 1798.83.

(d) Unless the violation is willful, intentional, or reckless, a business that is alleged to have not provided all the

information required by subdivision (a) of Section 1798.83, to have provided inaccurate information, failed to provide

any of the information required by subdivision (a) of Section 1798.83, or failed to provide information in the time period

required by subdivision (b) of Section 1798.83, may assert as a complete defense in any action in law or equity that it

thereafter provided regarding the information that was alleged to be untimely, all the information, or accurate

information, to all customers who were provided incomplete or inaccurate information, respectively, within 90 days of the

date the business knew that it had failed to provide the information, timely information, all the information, or the

accurate information, respectively.

(e) Any business that violates, proposes to violate, or has violated this title may be enjoined.

(f)(1) A cause of action shall not lie against a business for disposing of abandoned records containing personal

information by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable

or undecipherable through any means.

(2) The Legislature finds and declares that when records containing personal information are abandoned by a

business, they often end up in the possession of a storage company or commercial landlord. It is the intent of the

Legislature in paragraph (1) to create a safe harbor for such a record custodian who properly disposes of the records

in accordance with paragraph (1).

(g) A prevailing plaintiff in any action commenced under Section 1798.83 shall also be entitled to recover his or her

reasonable attorney’s fees and costs.

(h) The rights and remedies available under this section are cumulative to each other and to any other rights and

remedies available under law.

INTERNET PRIVACY AND E-MAIL SOLICITATION





Article 1.8. Restrictions On Unsolicited Commercial E-Mail Advertisers



For the purpose of this article, the following definitions apply:

(a) "Advertiser" means a person or entity that advertises through the use of commercial e-mail advertisements.



(b) "California electronic mail address" or "California e-mail address" means any of the following:

(1) An e-mail address furnished by an electronic mail service provider that sends bills for furnishing and maintaining

that e-mail address to a mailing address in this state.

(2) An e-mail address ordinarily accessed from a computer located in this state.

(3) An e-mail address furnished to a resident of this state.

(c) "Commercial e-mail advertisement" means any electronic mail message initiated for the purpose of advertising or

promoting the lease, sale, rental, gift offer, or other disposition of any property, goods, services, or extension of credit.

(d) "Direct consent" means that the recipient has expressly consented to receive e-mail advertisements from the

advertiser, either in response to a clear and conspicuous request for the consent or at the recipient's own initiative.

(e) "Domain name" means any alphanumeric designation that is registered with or assigned by any domain name

registrar as part of an electronic address on the Internet.

(f) "Electronic mail" or "e-mail" means an electronic message that is sent to an e-mail address and transmitted between

two or more telecommunications devices, computers, or electronic devices capable of receiving electronic messages,

whether or not the message is converted to hard copy format after receipt, viewed upon transmission, or stored for later

retrieval. "Electronic mail" or "e-mail" includes electronic messages that are transmitted through a local, regional, or

global computer network.

(g) "Electronic mail address" or "e-mail address" means a destination, commonly expressed as a string of characters, to

which electronic mail can be sent or delivered. An "electronic mail address" or "e-mail address" consists of a user name

or mailbox and a reference to an Internet domain.

(h) "Electronic mail service provider" means any person, including an Internet service provider, that is an intermediary in

sending or receiving electronic mail or that provides to end users of the electronic mail service the ability to send or

receive electronic mail.

(i) "Initiate" means to transmit or cause to be transmitted a commercial e-mail advertisement or assist in the

transmission of a commercial e-mail advertisement by providing electronic mail addresses where the advertisement may

be sent, but does not include the routine transmission of the advertisement through the network or system of a

telecommunications utility or an electronic mail service provider through its network or system.

(j) "Incident" means a single transmission or delivery to a single recipient or to multiple recipients of an unsolicited

commercial e-mail advertisement containing substantially similar content.

(k) "Internet" has the meaning set forth in paragraph (6) of subdivision (e) of Section 17538.

(l) "Preexisting or current business relationship," as used in connection with the sending of a commercial e-mail

advertisement, means that the recipient has made an inquiry and has provided his or her e-mail address, or has made an

application, purchase, or transaction, with or without consideration, regarding products or services offered by the

advertiser.

Commercial e-mail advertisements sent pursuant to the exemption provided for a preexisting or current business

relationship shall provide the recipient of the commercial e-mail advertisement with the ability to "opt-out" from

receiving further commercial e-mail advertisements by calling a toll-free telephone number or by sending an

"unsubscribe" e-mail to the advertiser offering the products or services in the commercial e-mail advertisement. This opt-

out provision does not apply to recipients who are receiving free e-mail service with regard to commercial e-mail

advertisements sent by the provider of the e-mail service.

(m) "Recipient" means the addressee of an unsolicited commercial e-mail advertisement. If an addressee of an

unsolicited commercial e-mail advertisement has one or more e-mail addresses to which an unsolicited commercial

e-mail advertisement is sent, the addressee shall be deemed to be a separate recipient for each e-mail address to which

the e-mail advertisement is sent.

(n) "Routine transmission" means the transmission, routing, relaying, handling, or storing of an electronic mail message

through an automatic technical process. "Routine transmission" shall not include the sending, or the knowing

participation in the sending, of unsolicited commercial e-mail advertisements.

(o) "Unsolicited commercial e-mail advertisement" means a commercial e-mail advertisement sent to a recipient who

meets both of the following criteria:

(1) The recipient has not provided direct consent to receive advertisements from the advertiser.



(2) The recipient does not have a preexisting or current business relationship, as defined in subdivision (l), with the

advertiser promoting the lease, sale, rental, gift offer, or other disposition of any property, goods, services, or

extension of credit.

CA Bus. Prof. Code §17529.2. Prohibited Activities


Notwithstanding any other provision of law, a person or entity may not do any of the following:

(a) Initiate or advertise in an unsolicited commercial e-mail advertisement from California or advertise in an unsolicited

commercial e-mail advertisement sent from California.

(b) Initiate or advertise in an unsolicited commercial e-mail advertisement to a California electronic mail address, or

advertise in an unsolicited commercial e-mail advertisement sent to a California electronic mail address.

(c) The provisions of this section are severable. If any provision of this section or its application is held invalid, that

invalidity shall not affect any other provision or application that can be given effect without the invalid provision or

application.

CA Bus. Prof. Code §17529.3. Providers Of Internet Access Services; Application Of Article


Nothing in this article shall be construed to limit or restrict the adoption, implementation, or enforcement by a provider

of Internet access service of a policy of declining to transmit, receive, route, relay, handle, or store certain types of

electronic mail messages.

CA Bus. Prof. Code §17529.4. Unlawful Activities Relating To E-Mail Addresses; Automated Gathering Of

Certain Information


(a) It is unlawful for any person or entity to collect electronic mail addresses posted on the Internet if the purpose of the

collection is for the electronic mail addresses to be used to do either of the following:

(1) Initiate or advertise in an unsolicited commercial e-mail advertisement from California, or advertise in an

unsolicited commercial e-mail advertisement sent from California.

(2) Initiate or advertise in an unsolicited commercial e-mail advertisement to a California electronic mail address, or

advertise in an unsolicited commercial e-mail advertisement sent to California electronic mail address.

(b) It is unlawful for any person or entity to use an electronic mail address obtained by using automated means based on

a combination of names, letters, or numbers to do either of the following:





(c) It is unlawful for any person to use scripts or other automated means to register for multiple electronic mail accounts

from which to do, or to enable another person to do, either of the following:





CA Bus. Prof. Code §17529.5. Unlawful Activities Relating To Commercial E-Mail Advertisements; Additional

Remedies


(a) It is unlawful for any person or entity to advertise in a commercial e-mail advertisement either sent from California or

sent to a California electronic mail address under any of the following circumstances:

(1) The e-mail advertisement contains or is accompanied by a third-party's domain name without the permission of

the third party.



(2) The e-mail advertisement contains or is accompanied by falsified, misrepresented, or forged header information.

This paragraph does not apply to truthful information used by a third party who has been lawfully authorized by the

advertiser to use that information.

(3) The e-mail advertisement has a subject line that a person knows would be likely to mislead a recipient, acting

reasonably under the circumstances, about a material fact regarding the contents or subject matter of the message.

(b)(1)(A) In addition to any other remedies provided by any other provision of law, the following may bring an action

against a person or entity that violates any provision of this section:

(i) The Attorney General.

(ii) An electronic mail service provider.

(iii) A recipient of an unsolicited commercial e-mail advertisement, as defined in Section 17529.1.

(B) A person or entity bringing an action pursuant to subparagraph (A) may recover either or both of the

following:

(i) Actual damages.

(ii) Liquidated damages of one thousand dollars ($1,000) for each unsolicited commercial e-mail

advertisement transmitted in violation of this section, up to one million dollars ($1,000,000) per incident.

(C) The recipient, an electronic mail service provider, or the Attorney General, if the prevailing plaintiff, may also

recover reasonable attorney's fees and costs.

(D) However, there shall not be a cause of action under this section against an electronic mail service provider

that is only involved in the routine transmission of the e-mail advertisement over its computer network.

(2) If the court finds that the defendant established and implemented, with due care, practices and procedures

reasonably designed to effectively prevent unsolicited commercial e-mail advertisements that are in violation of this

section, the court shall reduce the liquidated damages recoverable under paragraph (1) to a maximum of one

hundred dollars ($100) for each unsolicited commercial e-mail advertisement, or a maximum of one hundred

thousand dollars ($100,000) per incident.

(3)(A) A person who has brought an action against a party under this section shall not bring an action against that

party under Section 17529.8 or 17538.45 for the same commercial e-mail advertisement, as defined in subdivision

(c) of Section 17529.1.

(B) A person who has brought an action against a party under Section 17529.8 or 17538.45 shall not bring an action

against that party under this section for the same commercial e-mail advertisement, as defined in subdivision (c) of

Section 17529.1.

(c) A violation of this section is a misdemeanor, punishable by a fine of not more than one thousand dollars ($1,000),

imprisonment in a county jail for not more than six months, or both that fine and imprisonment.

CA Bus. Prof. Code §17529.8. Remedies


(a)(1) In addition to any other remedies provided by this article or by any other provisions of law, a recipient of an

unsolicited commercial e-mail advertisement transmitted in violation of this article, an electronic mail service provider, or

the Attorney General may bring an action against an entity that violates any provision of this article to recover either or

both of the following:

(A) Actual damages.

(B) Liquidated damages of one thousand dollars ($1,000) for each unsolicited commercial e-mail advertisement

transmitted in violation of Section 17529.2, up to one million dollars ($1,000,000) per incident.

(2) The recipient, an electronic mail service provider, or the Attorney General, if the prevailing plaintiff, may also

recover reasonable attorney's fees and costs.

(3) However, there shall not be a cause of action against an electronic mail service provider that is only involved in

the routine transmission of the unsolicited commercial e-mail advertisement over its computer network.

(b) If the court finds that the defendant established and implemented, with due care, practices and procedures

reasonably designed to effectively prevent unsolicited commercial e-mail advertisements that are in violation of this

article, the court shall reduce the liquidated damages recoverable under subdivision (a) to a maximum of one hundred



dollars ($100) for each unsolicited commercial e-mail advertisement, or a maximum of one hundred thousand dollars

($100,000) per incident.

CA Bus. Prof. Code §17529.9. Severability


The provisions of this article are severable. If any provision of this article or its application is held invalid, that invalidity

shall not affect any other provision or application that can be given effect without the invalid provision or application.

Article 2. Particular Offenses

CA Bus. Prof. Code §17538.43. Use Of Telephone Facsimile Machine To Send Unsolicited Advertisement;

Initiating Facsimile Communication; Prohibitions


(a) As used in this section, the following terms have the following meanings:

(1) "Telephone facsimile machine" means equipment that has the capacity to do either or both of the following:

(A) Transcribe text or images, or both, from paper into an electronic signal and to transmit that signal over a

regular telephone line.

(B) Transcribe text or images, or both, from an electronic signal received over a regular telephone line onto

paper.

(2) "Unsolicited advertisement" means any material advertising the commercial availability or quality of any property,

goods, or services that is transmitted to any person or entity without that person's or entity's prior express invitation

or permission. Prior express invitation or permission may be obtained for a specific or unlimited number of

advertisements and may be obtained for a specific or unlimited period of time.

(b)(1) It is unlawful for a person or entity, if either the person or entity or the recipient is located within California, to use

any telephone facsimile machine, computer, or other device to send, or cause another person or entity to use such a

device to send, an unsolicited advertisement to a telephone facsimile machine.

(2) In addition to any other remedy provided by law, including a remedy provided by the Telephone Consumer Act

(47 U.S.C. Sec. 227 and following), a person or entity may bring an action for a violation of this subdivision seeking

the following relief:

(A) Injunctive relief against further violations.

(B) Actual damages or statutory damages of five hundred dollars ($500) per violation, whichever amount is

greater.

(C) Both injunctive relief and damages as set forth in subparagraphs (A) and (B).

If the court finds that the defendant willfully or knowingly violated this subdivision, the court may, in its discretion,

increase the amount of the award to an amount equal to not more than three times the amount otherwise available

under subparagraph (B).

(c) It is unlawful for a person or entity, if either the person or entity or the recipient is located in California, to do either

of the following:

(1) Initiate any communication using a telephone facsimile machine that does not clearly mark, in a margin at the top

or bottom of each transmitted page or on the first page of each transmission, the date and time sent, an

identification of the business, other entity, or individual sending the message, and the telephone number of the

sending machine or of the business, other entity, or individual.

(2) Use a computer or other electronic device to send any message via a telephone facsimile machine unless it is

clearly marked, in a margin at the top or bottom of each transmitted page of the message or on the first page of the

transmission, the date and time it is sent and the identification of the business, other entity, or individual sending the

message and the telephone number of the sending machine or of the business, other entity, or individual.

(d) This section shall not apply to a facsimile sent by or on behalf of a professional or trade association that is a tax-

exempt nonprofit organization and in furtherance of the association's tax-exempt purpose to a member of the

association, provided that all of the following conditions are met:

(1) The member voluntarily provided the association the facsimile number to which the facsimile was sent.



(2) The facsimile is not primarily for the purpose of advertising the commercial availability or quality of any property,

goods, or services of one or more third parties.

(3) The member who is sent the facsimile has not requested that the association stop sending facsimiles for the

purpose of advertising the commercial availability or quality of any property, goods, or services of one or more third

parties.

DIVISION 8. SPECIAL BUSINESS REGULATIONS

CHAPTER 22. INTERNET PRIVACY REQUIREMENTS

CA Bus. Prof. Code §22575. Commercial Web Site Operators; Posting Of Privacy Policy; Violation Of

Subdivision For Failure To Post Policy; Policy Requirements

[Last amended by Laws 2013, C. 390 (A.B. 370), §1.]

(a) An operator of a commercial Web site or online service that collects personally identifiable information through the

Internet about individual consumers residing in California who use or visit its commercial Web site or online service shall

conspicuously post its privacy policy on its Web site, or in the case of an operator of an online service, make that policy

available in accordance with paragraph (5) of subdivision (b) of Section 22577. An operator shall be in violation of this

subdivision only if the operator fails to post its policy within 30 days after being notified of noncompliance.

(b) The privacy policy required by subdivision (a) shall do all of the following:

(1) Identify the categories of personally identifiable information that the operator collects through the Web site or

online service about individual consumers who use or visit its commercial Web site or online service and the

categories of third-party persons or entities with whom the operator may share that personally identifiable

information.

(2) If the operator maintains a process for an individual consumer who uses or visits its commercial Web site or

online service to review and request changes to any of his or her personally identifiable information that is collected

through the Web site or online service, provide a description of that process.

(3) Describe the process by which the operator notifies consumers who use or visit its commercial Web site or online

service of material changes to the operator's privacy policy for that Web site or online service.

(4) Identify its effective date.

(5) Disclose how the operator responds to Web browser “do not track” signals or other mechanisms that provide

consumers the ability to exercise choice regarding the collection of personally identifiable information about an

individual consumer's online activities over time and across third-party Web sites or online services, if the operator

engages in that collection.

(6) Disclose whether other parties may collect personally identifiable information about an individual consumer's

online activities over time and across different Web sites when a consumer uses the operator's Web site or service.

(7) An operator may satisfy the requirement of paragraph (5) by providing a clear and conspicuous hyperlink in the

operator's privacy policy to an online location containing a description, including the effects, of any program or

protocol the operator follows that offers the consumer that choice.

CA Bus. Prof. Code §22576. Violation Of Section For Failure To Comply With Provisions Of Posted Privacy

Policy


An operator of a commercial Web site or online service that collects personally identifiable information through the Web

site or online service from individual consumers who use or visit the commercial Web site or online service and who

reside in California shall be in violation of this section if the operator fails to comply with the provisions of Section 22575

or with the provisions of its posted privacy policy in either of the following ways:

(a) Knowingly and willfully.

(b) Negligently and materially.

CA Bus. Prof. Code §22577. Definitions


For the purposes of this chapter, the following definitions apply:



(a) The term "personally identifiable information" means individually identifiable information about an individual

consumer collected online by the operator from that individual and maintained by the operator in an accessible form,

including any of the following:

(1) A first and last name.

(2) A home or other physical address, including street name and name of a city or town.

(3) An e-mail address.

(4) A telephone number.

(5) A social security number.

(6) Any other identifier that permits the physical or online contacting of a specific individual.

(7) Information concerning a user that the Web site or online service collects online from the user and maintains in

personally identifiable form in combination with an identifier described in this subdivision.

(b) The term "conspicuously post" with respect to a privacy policy shall include posting the privacy policy through any of

the following:

(1) A Web page on which the actual privacy policy is posted if the Web page is the homepage or first significant page

after entering the Web site.

(2) An icon that hyperlinks to a Web page on which the actual privacy policy is posted, if the icon is located on the

homepage or the first significant page after entering the Web site, and if the icon contains the word "privacy." The

icon shall also use a color that contrasts with the background color of the Web page or is otherwise distinguishable.

(3) A text link that hyperlinks to a Web page on which the actual privacy policy is posted, if the text link is located on

the homepage or first significant page after entering the Web site, and if the text link does one of the following:

(A) Includes the word "privacy."

(B) Is written in capital letters equal to or greater in size than the surrounding text.

(C) Is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding

text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call

attention to the language.

(4) Any other functional hyperlink that is so displayed that a reasonable person would notice it.

(5) In the case of an online service, any other reasonably accessible means of making the privacy policy available for

consumers of the online service.

(c) The term "operator" means any person or entity that owns a Web site located on the Internet or an online service

that collects and maintains personally identifiable information from a consumer residing in California who uses or visits

the Web site or online service if the Web site or online service is operated for commercial purposes. It does not include

any third party that operates, hosts, or manages, but does not own, a Web site or online service on the owner's behalf or

by processing information on behalf of the owner.

(d) The term "consumer" means any individual who seeks or acquires, by purchase or lease, any goods, services, money,

or credit for personal, family, or household purposes.

CHAPTER 33. ANTI-PHISHING ACT OF 2005

CA Bus. Prof. Code §22948. Short Title


This chapter shall be known and may be cited as the Anti-Phishing Act of 2005.



For the purposes of this chapter, the following terms have the following meanings:

(a) "Electronic mail message" means a message sent to a unique destination, commonly expressed as a string of

characters, consisting of a unique user name or mailbox (commonly referred to as the "local part") and a reference to an

Internet domain (commonly referred to as the "domain part"), whether or not displayed, to which an electronic message

can be sent or delivered.



(b) "Identifying information" means, with respect to an individual, any of the following:

(1) Social security number.

(2) Driver's license number.

(3) Bank account number.

(4) Credit card or debit card number.

(5) Personal identification number (PIN).

(6) Automated or electronic signature.

(7) Unique biometric data.

(8) Account password.

(9) Any other piece of information that can be used to access an individual's financial accounts or to obtain goods or

services.

(c) "Internet" shall have the meaning as defined in paragraph (6) of subdivision (f) of Section 17538.

(d) "Web page" means a location that has a single uniform resource locator or other single location with respect to the

Internet.

CA Bus. Prof. Code §22948.2. Unlawful Requests By Misrepresentation


It shall be unlawful for any person, by means of a Web page, electronic mail message, or otherwise through use of the

Internet, to solicit, request, or take any action to induce another person to provide identifying information by

representing itself to be a business without the authority or approval of the business.

CA Bus. Prof. Code §22948.3. Remedies For Violation


(a) The following persons may bring an action against a person who violates or is in violation of Section 22948.2:

(1) A person who (A) is engaged in the business of providing Internet access service to the public, owns a Web page,

or owns a trademark, and (B) is adversely affected by a violation of Section 22948.2.

An action brought under this paragraph may seek to recover the greater of actual damages or five hundred thousand

dollars ($500,000).

(2) An individual who is adversely affected by a violation of Section 22948.2 may bring an action, but only against a

person who has directly violated Section 22948.2.

An action brought under this paragraph may seek to enjoin further violations of Section 22948.2 and to recover the

greater of three times the amount of actual damages or five thousand dollars ($5,000) per violation.

(b) The Attorney General or a district attorney may bring an action against a person who violates or is in violation of

Section 22948.2 to enjoin further violations of Section 22948.2 and to recover a civil penalty of up to two thousand five

hundred dollars ($2,500) per violation.

(c) In an action pursuant to this section, a court may, in addition, do either or both of the following:

(1) Increase the recoverable damages to an amount up to three times the damages otherwise recoverable under

subdivision (a) in cases in which the defendant has engaged in a pattern and practice of violating Section 22948.2.

(2) Award costs of suit and reasonable attorney's fees to a prevailing plaintiff.

(d) The remedies provided in this section do not preclude the seeking of remedies, including criminal remedies, under

any other applicable provision of law.

(e) For purposes of paragraph (1) of subdivision (a), multiple violations of Section 22948.2 resulting from any single

action or conduct shall constitute one violation.



DO NOT CALL AND TELEPHONE SOLICITATION





Article 8. Unsolicited And Unwanted Telephone Solicitations

CA Bus. Prof. Code §17591. "Do Not Call" List; Unlawful Activities


It is unlawful for any person to do any of the following: using the "do not call" list for any purpose other than to comply

with this article or applicable federal laws; denying or interfering in any way, directly or indirectly, with a subscriber's

right to place a California telephone number on the "do not call" list; causing a subscriber to participate in and be

included on the "do not call" list without the subscriber's knowledge or consent; selling or leasing the "do not call" list to

a person other than a telephone solicitor; selling or leasing by a telephone solicitor of the "do not call" list; charging a fee

to place a California telephone number on the "do not call" list; and a telephone solicitor, either directly or indirectly,

persuading a subscriber with whom it has an established business relationship to place his or her telephone number on

the "do not call" list, if the solicitation has the effect of preventing competitors from contacting that solicitor's customers.

CA Bus. Prof. Code §17592. Prohibited Calls


(a) For purposes of this article:

(1) A "telephone solicitor" means any person or entity who, on his or her own behalf or through salespersons or

agents, announcing devices, or otherwise, makes or causes a telephone call to be made to a California telephone

number that does any of the following:

(A) Seeks to offer a prize or to rent, sell, exchange, promote, gift, or lease goods or services or documents that

can be used to obtain goods or services.

(B) Offers or solicits or seeks to offer or solicit any extension of credit for personal, family, or household purposes.

(C) Seeks marketing information that will or may be used for the direct solicitation of a sale of goods or services

to the subscriber.

(D) Seeks to sell or promote any investment, insurance, or financial services.

(E) Seeks to make any telephone solicitation or attempted telephone solicitation as described in Section 17511.1.

(2) "Do not call" list means the California telephone numbers on the national "do not call" registry established and

maintained by the Federal Trade Commission, as described in Section 310.4(b)(1)(iii)(B) of Title 16 of the Code of

Federal Regulations. A "do not call" list is current if it was obtained from the Federal Trade Commission no more than

three months prior to the date a call is made.

(b) A person or entity does not necessarily qualify as a telephone solicitor if the products or services of the person or

entity are sold or marketed by an independent contractor whose business practices are not controlled by the person or

entity.

(c) Except for telephone calls described in subdivision (e), beginning on the 31st day after the Federal Trade Commission

makes its first "do not call" list available to telephone solicitors, no telephone solicitor shall call any telephone number on

the then current "do not call" list and do any of the following:

(1) Seek to offer a prize or to rent, sell, exchange, promote, gift, or lease goods or services or documents that can be

used to obtain goods or services.

(2) Offer or solicit or seek to offer or solicit any extension of credit for personal, family, or household purposes.

(3) Seek marketing information that will or may be used for the direct solicitation of a sale of goods or services to the

subscriber.

(4) Seek to sell or promote any investment, insurance, or financial services.



(5) Seek to make any telephone solicitation or attempted telephone solicitation as described in Section 17511.1.

(d) No person or entity that sells, leases, exchanges, or rents telephone solicitation lists shall include in those lists those

telephone numbers that appear on the current "do not call" list, except that this subdivision does not apply to lists used

for directory assistance and numbers published in telephone directories that list substantially all publicly available

telephone numbers in a specific geographic area.

(e) Subdivision (c) shall not apply to any of the following:

(1) Telephone calls made pursuant to the express agreement, in writing, of the subscriber to place calls to that

California telephone number. This written agreement shall clearly evidence the person's authorization that calls made

by or on behalf of a specific party may be placed to that California telephone number, and shall include the signature

of that person. In any dispute regarding whether a subscriber has provided this express written permission, the

telephone solicitor has the burden of proving that the subscriber has provided this permission by producing the

original or a facsimile document, signed by the subscriber, evidencing that permission; or an advertisement by the

subscriber. "Express agreement" does not include any consent or permission included in any contract of adhesion.

(2) Telephone calls made pursuant to the express request of the subscriber. "Express request" may include a

telephone call from a person or entity who has been provided the subscriber's telephone number and name as a

referral from a solicitor with which the subscriber has an established business relationship, if that solicitor has

obtained the subscriber's express request for the referral. "Express request" does not include any consent or

permission included in any contract of adhesion. A telephone call is presumed not to be made at the express request

of a subscriber if one of the following occurs, as applicable:

(A) The call is made 30 business days after the last date on which the subscriber contacted a business with the

purpose of inquiring about the potential purchase of goods or services.

(B) The call is made 30 business days after the last date on which the subscriber consented to be contacted.

(C) The call is made after the subscriber has requested that no further telephone calls be made to him or her.

(D) The call is made 30 business days after a product or service becomes available where the subscriber has

made a request to the business for that product or service that is not then available, and requests a call when the

product or service becomes available.

(3) Telephone calls made in connection with the collection of a debt or the offer by a creditor to the subscriber of an

extension of credit to pay a delinquent obligation owed by the subscriber to that creditor.

(4) Telephone calls made to a subscriber if the telephone solicitor has an established business relationship with the

subscriber. As used in this article, "established business relationship" means a relationship between a seller and a

subscriber based on the subscriber's purchase, rental, or lease of the seller's goods or services or a financial

transaction between the consumer and seller, within the 18 months immediately preceding the date of a

telemarketing call. If a subscriber purchases or obtains a product or service through a licensed agent or broker, for

purposes of this article an established business relationship is created with the licensed agent or broker individually,

apart from and in addition to, any established business relationship that may have been created by a licensed agent

or broker acting on behalf of another, and the licensed agent or broker is a telephone solicitor, as defined in

subdivision (a). Notwithstanding the provisions of this paragraph, an established business relationship does not exist

between the subscriber and any separate legal entity associated with the telephone solicitor not acting as an agent or

vendor on behalf of the telephone solicitor, as defined in subdivision (a), unless the separate legal entity shares the

brand name of a business with which the subscriber has an otherwise established business relationship. If the

subscriber instructs the telephone solicitor to place the subscriber on the telephone solicitor's list pursuant to Section

64.1200 of Title 47 of the Code of Federal Regulations and Section 310.4(b)(1)(iii)(A) of Title 16 of the Code of

Federal Regulations, that instruction shall be binding on the entity with which the subscriber has the established

business relationship, with any entity that has the shared brand name, and all other entities that share that brand

name, none of whom may initiate further telephone solicitation calls to that subscriber. Separate legal entities

include, but are not limited to, any parent company or entity, any subsidiary company or entity, any partnership or

copartner, any joint venture or venturer, association member, or comember, or any affiliated company or entity.

(5) Telephone calls made by an individual businessperson or a small business if the individual businessperson or small

business employs no more than five full-or part-time employees or independent contractors, the individual

businessperson or a principal of the small business makes the telephone calls himself or herself for the sale of goods

or services offered by that individual businessperson or small business, and the telephone calls are made to

subscribers within a 50-mile radius of the location of the individual businessperson or small business. For purposes of

this section, the services offered by the individual businessperson or small business cannot be telemarketing services.

For purposes of this section, those independent contractors and employees with whom an individual businessperson

or a small business is required to have a written independent contractor or employment agreement pursuant to a



regulatory scheme to ensure regulatory accountability of those independent contractors or employees, are not

counted against the total referenced above.

(6) A telephone call made solely to verify that a subscriber, and not an unauthorized third party, has terminated an

established business relationship.

(7) Telephone calls made by a tax-exempt charitable organization.

(8) A telephone call made for the purpose of soliciting a donation without the purchase of goods or services.

(f)(1) Nothing in this section prohibits a telephone solicitor from contacting by mail a subscriber whose telephone number

appears on the "do not call" list to obtain the subscriber's express written permission allowing the telephone solicitor to

make the calls described in subdivision (c).

(2) An express written permission described in paragraph (1) shall include a clear and conspicuous disclosure of all of

the following, except as provided in paragraph (3):

(A) Identification of the name of the sender of the mailing and of the entity that is requesting permission to call.

(B) The subscriber's telephone number to which the calls may be placed.

(C) The signature of the subscriber authorizing the call.

(D) Notice that the subscriber may be contacted by a telephone solicitor or someone calling on behalf of the

specific party identified in the request for permission, even if the subscriber's telephone number is listed on the

federal "do not call" registry.

(3) Where there is an established business relationship, as defined under state or federal law, between a subscriber and

a telephone solicitor, express written permission described in paragraph (1)is not required.

(4) In any dispute regarding whether a subscriber has provided this express written permission, the telephone solicitor

has the burden of proving that the subscriber has provided this permission by producing the original or a facsimile

document, signed by the subscriber, evidencing that permission.

CA Bus. Prof. Code §17593. Civil Actions


(a) The Attorney General, a district attorney, or a city attorney may bring a civil action in any court of competent

jurisdiction against a telephone solicitor to enforce the article and to obtain any one or more of the following remedies:

(1) An order to enjoin the violation.

(2) A civil penalty of up to the penalty amount that the Federal Trade Commission may seek pursuant to

subparagraph (A) of paragraph (1) of subsection (m) of Section 45 of Title 15 of the United States Code as specified

in Section 1.98 of Title 16 of the Code of Federal Regulations.

(3) Any other relief that the court deems proper.

(b) Any person who has received a telephone solicitation that is prohibited by Section 17592, or whose telephone

number was used in violation of Section 17591, may bring a civil action in small claims court for an injunction or order to

prevent further violations. If a person obtains an injunction or order under this subdivision and service of the injunction

or order is properly effected, a person who thereafter receives further solicitations in violation of the injunction or order

within 30 days after service of the initial injunction or order, may file a subsequent action in small claims court seeking

enforcement of the injunction or order and a civil penalty to be awarded to the person in an amount up to one thousand

dollars ($1,000). For purposes of this subdivision, a person's claims may not be aggregated to establish jurisdiction in a

court other than small claims court. For purposes of this subdivision, a defendant is not required to personally appear,

but may appear by affidavit or by written instrument.

(c) The rights, remedies, and penalties established by this article are in addition to the rights, remedies, or penalties

established under other laws.

(d) It shall be an affirmative defense to any action brought under this article that the violation was accidental and in

violation of the telephone solicitor's policies and procedures and telemarketer instruction and training.

FAIR CREDIT REPORTING



CIVIL CODE



TITLE 1.6. CONSUMER CREDIT REPORTING AGENCIES ACT

CHAPTER 1. GENERAL PROVISIONS

CA Civ. Code §1785.2. Short Title


This act may be referred to as the Consumer Credit Reporting Agencies Act.



The following terms as used in this title have the meaning expressed in this section:

(a) "Adverse action" means a denial or revocation of credit, a change in the terms of an existing credit arrangement

which is adverse to the interests of the consumer, or a refusal to grant credit in substantially the amount or on

substantially the terms requested. "Adverse action" includes all of the following:

(1) Any denial of, increase in any charge for, or reduction in the amount of, insurance for personal, family, or

household purposes made in connection with the underwriting of insurance.

(2) Any denial of employment or any other decision made for employment purposes which adversely affects any

current or prospective employee.

(3) Any action taken, or determination made, with respect to a consumer (A) for an application for an extension of

credit, or an application for the hiring of a dwelling unit, and (B) that is adverse to the interests of the consumer.

"Adverse action" does not include (A) a refusal to extend additional credit to a consumer under an existing credit

arrangement if (i) the applicant is delinquent or otherwise in default under that credit arrangement or (ii) the additional

credit would exceed a credit limit previously established for the consumer or (B) a refusal or failure to authorize an

account transaction at a point of sale.

(b) "Consumer" means a natural individual.

(c) "Consumer credit report" means any written, oral, or other communication of any information by a consumer credit

reporting agency bearing on a consumer's credit worthiness, credit standing, or credit capacity, which is used or is

expected to be used, or collected in whole or in part, for the purpose of serving as a factor in establishing the consumer's

eligibility for: (1) credit to be used primarily for personal, family, or household purposes, or (2) employment purposes, or

(3) hiring of a dwelling unit, as defined in subdivision (c) of Section 1940, or (4) other purposes authorized in Section

1785.11.

The term does not include (1) any report containing information solely as to transactions or experiences between the

consumer and the person making the report, (2) any communication of that information or information from a credit

application by a consumer that is internal within the organization that is the person making the report or that is made to

an entity owned by, or affiliated by corporate control with, that person; provided that the consumer is informed by

means of a clear and conspicuous written disclosure that information contained in the credit application may be provided

to these persons; however, where a credit application is taken by telephone, disclosure shall initially be given orally at

the time the application is taken, and a clear and conspicuous written disclosure shall be made to the consumer in the

first written communication to that consumer after the application is taken, (3) any authorization or approval of a specific

extension of credit directly or indirectly by the issuer of a credit card or similar device, (4) any report by a person

conveying a decision whether to make a specific extension of credit directly or indirectly to a consumer in response to a

request by a third party, if the third party advises the consumer of the name and address of the person to whom the

request was made and the person makes the disclosures to the consumer required under Section 1785.20, (5) any report

containing information solely on a consumer's character, general reputation, personal characteristics, or mode of living

which is obtained through personal interviews with neighbors, friends, or associates of the consumer reported on, or

others with whom he is acquainted or who may have knowledge concerning those items of information, (6) any

communication about a consumer in connection with a credit transaction which is not initiated by the consumer, between

persons who are affiliated (as defined in Section 150 of the Corporations Code) by common ownership or common

corporate control (as defined by Section 160 of the Corporations Code), if either of those persons has complied with

paragraph (2) of subdivision (b) of Section 1785.20.1 with respect to a prequalifying report from which the information



communicated is taken and provided the consumer has consented to the provision and use of the prequalifying report in

writing, or (7) any consumer credit report furnished for use in connection with a transaction which consists of an

extension of credit to be used solely for a commercial purpose.

(d) "Consumer credit reporting agency" means any person who, for monetary fees, dues, or on a cooperative nonprofit

basis, regularly engages in whole or in part in the business of assembling or evaluating consumer credit information or

other information on consumers for the purpose of furnishing consumer credit reports to third parties, but does not

include any governmental agency whose records are maintained primarily for traffic safety, law enforcement, or licensing

purposes.

(e) "Credit transaction that is not initiated by the consumer" does not include the use of a consumer credit report by an

assignee for collection or by a person with which the consumer has an account for purposes of (1) reviewing the account

or (2) collecting the account. For purposes of this subdivision, "reviewing the account" includes activities related to

account maintenance and monitoring, credit line increases, and account upgrades and enhancements.

(f) "Employment purposes," when used in connection with a consumer credit report, means a report used for the purpose

of evaluating a consumer for employment, promotion, reassignment, or retention as an employee.

(g) "File," when used in connection with information on any consumer, means all of the information on that consumer

recorded and retained by a consumer credit reporting agency, regardless of how the information is stored.

(h) "Firm offer of credit" means any offer of credit to a consumer that will be honored if, based on information in a

consumer credit report on the consumer and other information bearing on the creditworthiness of the consumer, the

consumer is determined to meet the criteria used to select the consumer for the offer and the consumer is able to

provide any real property collateral specified in the offer. For purposes of this subdivision, the phrase "other information

bearing on the creditworthiness of the consumer" means information that the person making the offer is permitted to

consider pursuant to any rule, regulation, or formal written policy statement relating to the federal Fair Credit Reporting

Act, as amended (15 U.S.C. Sec. 1681 et seq.), promulgated by the Federal Trade Commission or any federal bank

regulatory agency.

(i) "Item of information" means any of one or more informative entries in a credit report which causes a creditor to deny

credit to an applicant or increase the cost of credit to an applicant or deny an applicant a checking account with a bank or

other financial institution.

(j) "Person" means any individual, partnership, corporation, trust, estate, cooperative, association, government or

governmental subdivision or agency, or other entity.

(k) "Prequalifying report" means a report containing the limited information permitted under paragraph (2) of

subdivision (b) of Section 1785.11.

(l) "State or local child support enforcement agency" means the Department of Child Support Services or local child

support agency acting pursuant to Division 17 (commencing with Section 17000) of the Family Code to establish, enforce

or modify child support obligations, and any state or local agency or official that succeeds to these responsibilities under

a successor statute.

CA Civ. Code §1785.4. Inapplicability To Private Detectives; Exception


Nothing in this title shall apply to any person licensed pursuant to the provisions of Chapter 11 (commencing with

Section 7500) of Division 3 of the Business and Professions Code, or to any employee of such person, unless such person

is employed directly by a consumer credit reporting agency.

CA Civ. Code §1785.5. Assembly, Evaluation Or Dissemination Of Information On Checking Account

Experiences Of Financial Institution Customers


Any person who, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in

the practice of assembling, evaluating, or disseminating information on the checking account experiences of consumer

customers of banks or other financial institutions is, with the exception of compliance with the requirements of Section

1785.10, subdivisions (c), (d), and (e), only with regard to the provision of the address and telephone number, subject

to the same laws which govern consumer credit reporting agencies.

CA Civ. Code §1785.6. Consumer Notice Or Disclosure; California Addresses




The notices and disclosures to consumers provided for in this title shall be required to be made only to those consumers

who have a mailing address in California.

CHAPTER 2. OBLIGATIONS OF CONSUMER CREDIT REPORTING AGENCIES

CA Civ. Code §1785.10. Inspection Of Files By Consumer; Advice To Consumer; Coded Files; Availability Of

Information; Disclosure Of Recipients Of Credit Reports And Inquiries; Reselling Report Or Information;

Exemptions


(a) Every consumer credit reporting agency shall, upon request and proper identification of any consumer, allow the

consumer to visually inspect all files maintained regarding that consumer at the time of the request.

(b) Every consumer reporting agency, upon contact by a consumer by telephone, mail, or in person regarding

information which may be contained in the agency files regarding that consumer, shall promptly advise the consumer of

his or her rights under Sections 1785.11.8, 1785.19, and 1785.19. 5, and of the obligation of the agency to provide

disclosure of the files in person, by mail, or by telephone pursuant to Section 1785.15, including the obligation of the

agency to provide a decoded written version of the file or a written copy of the file with an explanation of any code,

including any credit score used, and the key factors, as defined in Section 1785.15.1, if the consumer so requests that

copy. The disclosure shall be provided in the manner selected by the consumer, chosen from among any reasonable

means available to the consumer credit reporting agency.

The agency shall determine the applicability of subdivision (1) of Section 1785.17 and, where applicable, the agency shall

inform the consumer of the rights under that section.

(c) All information on a consumer in the files of a consumer credit reporting agency at the time of a request for

inspection under subdivision (a), shall be available for inspection, including the names, addresses and, if provided by the

sources of information, the telephone numbers identified for customer service for the sources of information.

(d)(1) The consumer credit reporting agency shall also disclose the recipients of any consumer credit report on the

consumer which the consumer credit reporting agency has furnished:

(A) For employment purposes within the two-year period preceding the request.

(B) For any other purpose within the 12-month period preceding the request.

(2) Disclosure of recipients of consumer credit reports for purposes of this subdivision shall include the name of the

recipient or, if applicable, the fictitious business name under which the recipient does business disclosed in full. The

identification shall also include the address and, if provided by the recipient, the telephone number identified for

customer service for the recipient.

(e) The consumer credit reporting agency shall also disclose a record of all inquiries received by the agency in the 12-

month period preceding the request that identified the consumer in connection with a credit transaction which is not

initiated by the consumer. This record of inquiries shall include the name, address and, if provided by the recipient, the

telephone number identified for customer service for each recipient making an inquiry.

(f) Any consumer credit reporting agency when it is subject to the provisions of Section 1785.22 is exempted from the

requirements of subdivisions (c), (d), and (e), only with regard to the provision of the address and telephone number.

(g) Any consumer credit reporting agency, that provides a consumer credit report to another consumer credit reporting

agency that procures the consumer credit report for the purpose of resale and is subject to Section 1785.22, is exempted

from the requirements of subdivisions (d) and (e), only with regard to the provision of the address and telephone

number regarding each prospective user to which the consumer credit report was sold.

(h) This section shall become operative on January 1, 2003.

CA Civ. Code §1785.11. Furnishing Consumer Report; Circumstances


(a) A consumer credit reporting agency shall furnish a consumer credit report only under the following circumstances:

(1) In response to the order of a court having jurisdiction to issue an order.

(2) In accordance with the written instructions of the consumer to whom it relates.

(3) To a person whom it has reason to believe:



(A) Intends to use the information in connection with a credit transaction, or entering or enforcing an order of a

court of competent jurisdiction for support, involving the consumer as to whom the information is to be furnished

and involving the extension of credit to, or review or collection of an account of, the consumer; or

(B) Intends to use the information for employment purposes; or

(C) Intends to use the information in connection with the underwriting of insurance involving the consumer, or for

insurance claims settlements; or

(D) Intends to use the information in connection with a determination of the consumer's eligibility for a license or

other benefit granted by a governmental instrumentality required by law to consider the applicant's financial

responsibility or status; or

(E) Intends to use the information in connection with the hiring of a dwelling unit, as defined in subdivision (c) of

Section 1940; or

(F) Otherwise has a legitimate business need for the information in connection with a business transaction

involving the consumer.

(b) A consumer credit reporting agency may furnish information for purposes of a credit transaction specified in

subparagraph (A) of paragraph (3) of subdivision (a), where it is a credit transaction that is not initiated by the

consumer, only under the circumstances specified in paragraph (1) or (2), as follows:

(1) The consumer authorizes the consumer credit reporting agency to furnish the consumer credit report to the

person.

(2) The proposed transaction involves a firm offer of credit to the consumer, the consumer credit reporting agency

has complied with subdivision (d), and the consumer has not elected pursuant to paragraph (1) of subdivision (d) to

have the consumer's name excluded from lists of names provided by the consumer credit reporting agency for

purposes of reporting in connection with the potential issuance of firm offers of credit. A consumer credit reporting

agency may provide only the following information pursuant to this paragraph:

(A) The name and address of the consumer.

(B) Information pertaining to a consumer that is not identified or identifiable with a particular consumer.

(c) Except as provided in paragraph (3) of subdivision (a) of Section 1785.15, a consumer credit reporting agency

shall not furnish to any person a record of inquiries solely resulting from credit transactions that are not initiated

by the consumer.

(d)(1) A consumer may elect to have his or her name and address excluded from any list provided by a consumer credit

reporting agency pursuant to paragraph (2) of subdivision (b) by notifying the consumer credit reporting agency, by

telephone or in writing, through the notification system maintained by the consumer credit reporting agency pursuant to

subdivision (e), that the consumer does not consent to any use of consumer credit reports relating to the consumer in

connection with any transaction that is not initiated by the consumer.

(2) An election of a consumer under paragraph (1) shall be effective with respect to a consumer credit reporting

agency, and any affiliate of the consumer credit reporting agency, on the date on which the consumer notifies the

consumer credit reporting agency.

(3) An election of a consumer under paragraph (1) shall terminate and be of no force or effect following notice from

the consumer to the consumer credit reporting agency, through the system established pursuant to subdivision (e),

that the election is no longer effective.

(e) Each consumer credit reporting agency that furnishes a prequalifying report pursuant to subdivision (b) in connection

with a credit transaction not initiated by the consumer shall establish and maintain a notification system, including a toll-

free telephone number, that permits any consumer, with appropriate identification and for which the consumer credit

reporting agency has a file, to notify the consumer credit reporting agency of the consumer's election to have the

consumer's name removed from any list of names and addresses provided by the consumer credit reporting agency, and

by any affiliated consumer credit reporting agency, pursuant to paragraph (2) of subdivision (b). Compliance with the

requirements of this subdivision by a consumer credit reporting agency shall constitute compliance with those

requirements by any affiliate of that consumer credit reporting agency.

(f) Each consumer credit reporting agency that compiles and maintains files on consumers on a nationwide basis shall

establish and maintain a notification system under paragraph (1) of subdivision (e) jointly with its affiliated consumer

credit reporting agencies.

CA Civ. Code §1785.11.1. Security Alerts In Credit Reports



[Last amended by Laws 2003, Ch. 907 (S.B. 25), §1.5.]

(a) A consumer may elect to place a security alert in his or her credit report by making a request in writing or by

telephone to a consumer credit reporting agency. "Security alert" means a notice placed in a consumer's credit report, at

the request of the consumer, that notifies a recipient of the credit report that the consumer's identity may have been

used without the consumer's consent to fraudulently obtain goods or services in the consumer's name.

(b) A consumer credit reporting agency shall notify each person requesting consumer credit information with respect to a

consumer of the existence of a security alert in the credit report of that consumer, regardless of whether a full credit

report, credit score, or summary report is requested.

(c) Each consumer credit reporting agency shall maintain a toll-free telephone number to accept security alert requests

from consumers 24 hours a day, seven days a week.

(d) The toll-free telephone number shall be included in any written disclosure by a consumer credit reporting agency to

any consumer pursuant to Section 1785.15 and shall be printed in a clear and conspicuous manner.

(e) A consumer credit reporting agency shall place a security alert on a consumer's credit report no later than five

business days after receiving a request from the consumer.

(f) The security alert shall remain in place for at least 90 days, and a consumer shall have the right to request a renewal

of the security alert.

(g) Any person who uses a consumer credit report in connection with the approval of credit based on an application for

an extension of credit, or with the purchase, lease, or rental of goods or non-credit-related services and who receives

notification of a security alert pursuant to subdivision (a) may not lend money, extend credit, or complete the purchase,

lease, or rental of goods or non-credit-related services without taking reasonable steps to verify the consumer's identity,

in order to ensure that the application for an extension of credit or for the purchase, lease, or rental of goods or non-

credit-related services is not the result of identity theft. If the consumer has placed a statement with the security alert in

his or her file requesting that identity be verified by calling a specified telephone number, any person who receives that

statement with the security alert in a consumer's file pursuant to subdivision (a) shall take reasonable steps to verify the

identity of the consumer by contacting the consumer using the specified telephone number prior to lending money,

extending credit, or completing the purchase, lease, or rental of goods or non-credit-related services. If a person uses a

consumer credit report to facilitate the extension of credit or for another permissible purpose on behalf of a subsidiary,

affiliate, agent, assignee, or prospective assignee, that person may verify a consumer's identity under this section in lieu

of the subsidiary, affiliate, agent, assignee, or prospective assignee.

(h) For purposes of this section, "extension of credit" does not include an increase in the dollar limit of an existing open-

end credit plan, as defined in Regulation Z issued by the Board of Governors of the Federal Reserve System (12 C.F.R.

226.2), or any change to, or review of, an existing credit account.

(i) If reasonable steps are taken to verify the identity of the consumer pursuant to subdivision (b) of Section 1785.20.3,

those steps constitute compliance with the requirements of this section, except that if a consumer has placed a

statement including a telephone number with the security alert in his or her file, his or her identity shall be verified by

contacting the consumer using that telephone number as specified pursuant to subdivision (g).

(j) A consumer credit reporting agency shall notify each consumer who has requested that a security alert be placed on

his or her consumer credit report of the expiration date of the alert.

(k) Notwithstanding Section 1785.19, any consumer credit reporting agency that recklessly, willfully, or intentionally fails

to place a security alert pursuant to this section shall be liable for a penalty in an amount of up to two thousand five

hundred dollars ($2,500) and reasonable attorneys' fees.

CHAPTER 3. REQUIREMENTS ON USERS OF CONSUMER CREDIT REPORTS

CA Civ. Code §1785.20. Adverse Action Based On Consumer Credit Report Information; Notice And

Disclosure To Consumer; Denial Of Credit Or Insurance Or Increase In Charge Because Of Information From

One Other Than Agency; Liability


(a) If any person takes any adverse action with respect to any consumer, and the adverse action is based, in whole or in

part, on any information contained in a consumer credit report, that person shall do all of the following:

(1) Provide written notice of the adverse action to the consumer.

(2) Provide the consumer with the name, address, and telephone number of the consumer credit reporting agency

which furnished the report to the person.



(3) Provide a statement that the credit grantor's decision to take adverse action was based in whole or in part upon

information contained in a consumer credit report.

(4) Provide the consumer with a written notice of the following rights of the consumer:

(A) The right of the consumer to obtain within 60 days a free copy of the consumer's consumer credit report from

the consumer credit reporting agency identified pursuant to paragraph (2) and from any other consumer credit

reporting agency which compiles and maintains files on consumers on a nationwide basis.

(B) The right of the consumer under Section 1785.16 to dispute the accuracy or completeness of any information

in a consumer credit report furnished by the consumer credit reporting agency.

(b) Whenever credit or insurance for personal, family, or household purposes involving a consumer is denied or the

charge for such credit is increased either wholly or in part because of information obtained from a person other than a

consumer credit reporting agency bearing upon consumer's credit worthiness or credit standing, the user of that

information shall, within a reasonable period of time, and upon the consumer's written request for the reasons for that

adverse action received within 60 days after learning of the adverse action, disclose the nature and substance of the

information to the consumer. The user of the information shall clearly and accurately disclose to the consumer his or her

right to make such a written request at the time the adverse action is communicated to the consumer.

(c) No person shall be held liable for any violation of this section if he or she shows by a preponderance of the evidence

that at the time of the alleged violation he or she maintained reasonable procedures to assure compliance with this

section.

(d) Nothing in this chapter shall excuse compliance with the requirements of Section 1787.2.

CA Civ. Code §1785.20.1. Credit Transactions Not Initiated By Consumer; Solicitation To Consumer; Required

Statement; Prequalifying Reports; Consumer's Consent

[Enacted by Laws 1992, Ch. 1194 (A.B. 1629), §9.5.]

(a) Except as provided in subdivision (b), any person who uses a consumer credit report in connection with any credit

transaction not initiated by the consumer and which consists of a firm offer of credit shall provide with any solicitation

made to the consumer a clear and conspicuous statement as to all of the following:

(1) Information contained in the consumer's prequalifying report was used in connection with the transaction.

(2) The consumer received the offer of credit, because the consumer satisfied the criteria for creditworthiness under

which the consumer was selected for the offer.

(3) Where applicable, the credit may not be extended if, after the consumer responds to the offer, the consumer does

not meet the criteria used to select the consumer for the offer.

(4) The consumer has a right to prohibit use of information contained in the consumer's file with any consumer credit

reporting agency in connection with any credit transaction that is not initiated by the consumer. The consumer may

exercise this right by notifying the notification system or joint notification system established under subdivision (d) or

(e) of Section 1785.11.

(b) Subdivision (a) does not apply to any person using a prequalifying report if all of the following conditions are met:

(1) The person using the prequalifying report is affiliated by common ownership or common corporate control with

the person who procured the report.

(2) The person who procures the prequalifying report from the consumer credit reporting agency clearly and

conspicuously discloses to the consumer to whom the report relates, before the prequalifying report is provided to the

person who uses the report, that the prequalifying report might be provided to, and used by, persons affiliated in the

manner specified in paragraph (1) with the person that procured the report.

(3) The consumer consents in writing to this provision and use of the prequalifying report.

(c) No person shall be denied credit on the basis of the consumer's refusal to provide consent pursuant to paragraph (3)

of subdivision (b), unless that consent is necessary for the extension of credit, related to that transaction, by an affiliate.

CA Civ. Code §1785.20.2. Loans To Consumers; Use Of Consumer Credit Score; Information To Be Provided

To Consumer; Notice And Form


Any person who makes or arranges loans and who uses a consumer credit score as defined in Section 1785.15.1 in

connection with an application initiated or sought by a consumer for a closed end loan or establishment of an open end



loan for a consumer purpose that is secured by one to four units of residential real property shall provide the following to

the consumer as soon as reasonably practicable:

(a) A copy of the information identified in subdivision (a) of Section 1785.15.1 that was obtained from a credit reporting

agency or was developed and used by the user of the information. In addition to the information provided to it by a third

party that provided the credit score or scores, a lender is only required to provide the notice contained in subdivision (d).

(b) If a person who is subject to this section uses an automated underwriting system to underwrite a loan, that person

may satisfy the obligation to provide a credit score by disclosing a credit score and associated key factors supplied by a

consumer credit reporting agency. However, if a numerical credit score is generated by an automated underwriting

system used by an enterprise, and that score is disclosed to the person, it shall be disclosed to the consumer consistent

with subdivision (c). For purposes of this subdivision, the term "enterprise" shall have the meaning provided in paragraph

(6) of Section 4502 of Title 12 of the United States Code.

(c) A person subject to the provisions of this section who uses a credit score other than a credit score provided by a

consumer reporting agency may satisfy the obligation to provide a credit score by disclosing a credit score and

associated key factors supplied by a consumer credit reporting agency.

(d) A copy of the following notice, which shall include the name, address, and telephone number of each credit bureau

providing a credit score that was used:

NOTICE TO THE HOME LOAN APPLICANT

In connection with your application for a home loan, the lender must disclose to you the score that a credit bureau

distributed to users and the lender used in connection with your home loan, and the key factors affecting your credit

scores.

The credit score is a computer generated summary calculated at the time of the request and based on information a

credit bureau or lender has on file. The scores are based on data about your credit history and payment patterns.

Credit scores are important because they are used to assist the lender in determining whether you will obtain a loan.

They may also be used to determine what interest rate you may be offered on the mortgage. Credit scores can

change over time, depending on your conduct, how your credit history and payment patterns change, and how credit

scoring technologies change.

Because the score is based on information in your credit history, it is very important that you review the credit-

related information that is being furnished to make sure it is accurate. Credit records may vary from one company to

another.

If you have questions about your credit score or the credit information that is furnished to you, contact the credit

bureau at the address and telephone number provided with this notice, or contact the lender, if the lender developed

or generated the credit score. The credit bureau plays no part in the decision to take any action on the loan

application and is unable to provide you with specific reasons for the decision on a loan application.

If you have questions concerning the terms of the loan, contact the lender.

(e) This section shall not require any person to do the following:

(1) Explain the information provided pursuant to Section 1785.15.1.

(2) Disclose any information other than a credit score or key factor, as defined in Section 1785.15.1.

(3) Disclose any credit score or related information obtained by the user after a loan has closed.

(4) Provide more than one disclosure per loan transaction.

(5) Provide the disclosure required by this section when another person has made the disclosure to the consumer for

that loan transaction.

(f) Any person's obligation pursuant to this section shall be limited solely to providing a copy of the information that was

received from the consumer credit reporting agency. No person has liability under this section for the content of that

information or for the omission of any information within the report provided by the consumer credit reporting agency.

(g) As used in this section, the term "person" does not include an "enterprise" as defined in paragraph (6) of Section

4502 of Title 12 of the United States Code.

CA Civ. Code §1785.20.3. Consumer Credit Reports With Approval Of Credit Based On Application For Credit

Extension; Consumer Address Error With Respect To Identity Theft; Verification Safeguard; Violations




(a) Any person who uses a consumer credit report in connection with the approval of credit based on an application for

an extension of credit, and who discovers that the consumer's first and last name, address, or social security number, on

the credit application does not match, within a reasonable degree of certainty, the consumer's first and last name,

address or addresses, or social security number listed, if any, on the consumer credit report, shall take reasonable steps

to verify the accuracy of the consumer's first and last name, address, or social security number provided on the

application to confirm that the extension of credit is not the result of identity theft, as defined in Section 1798.92.

(b) Any person who uses a consumer credit report in connection with the approval of credit based on an application for

an extension of credit, and who has received notification pursuant to subdivision (k) of Section 1785.16 that the

applicant has been a victim of identity theft, as defined in Section 1798.92, may not lend money or extend credit without

taking reasonable steps to verify the consumer's identity and confirm that the application for an extension of credit is not

the result of identity theft.

(c) Any consumer who suffers damages as a result of a violation of this section by any person may bring an action in a

court of appropriate jurisdiction against that person to recover actual damages, court costs, attorney's fees, and punitive

damages of not more than thirty thousand dollars ($30,000) for each violation, as the court deems proper.

(d) As used in this section, "identity theft" has the meaning given in subdivision (b) of Section 1798.92.

(e) For the purposes of this section, "extension of credit" does not include an increase in an existing open-end credit

plan, as defined in Regulation Z of the Federal Reserve System (12 C.F.R. 226.2), or any change to or review of an

existing credit account.

(f) If a consumer provides initial written notice to a creditor that he or she is a victim of identity theft, as defined in

subdivision (d) of Section 1798.92, the creditor shall provide written notice to the consumer of his or her rights under

subdivision (k) of Section 1785.16.

(g) The provisions of subdivisions (k) and (l) of Section 1785.16 do not apply to a consumer credit reporting agency that

acts only as a reseller of credit information by assembling and merging information contained in the database of another

consumer credit reporting agency or the databases of multiple consumer credit reporting agencies, and does not

maintain a permanent database of credit information from which new credit reports are produced.

(h) This section does not apply if one of the addresses at issue is a United States Army or Air Force post office address or

a United States Fleet post office address.

CA Civ. Code §1785.20.5. Report For Employment Purposes; Prior Notice To Person Involved;

Contemporaneous Copies For User And Subject; Denial Of Employment; Identity Of Reporter; Notice By User

To Consumer; Liability


(a) Prior to requesting a consumer credit report for employment purposes, the user of the report shall provide written

notice to the person involved. The notice shall inform the person that a report will be used, and shall identify the specific

basis under subdivision (a) of Section 1024.5 of the Labor Code for use of the report. The notice shall also inform the

person of the source of the report, and shall contain a box that the person may check off to receive a copy of the credit

report. If the consumer indicates that he or she wishes to receive a copy of the report, the user shall request that a copy

be provided to the person when the user requests its copy from the credit reporting agency. The report to the user and

to the subject person shall be provided contemporaneously and at no charge to the subject person.

(b) Whenever employment involving a consumer is denied either wholly or partly because of information contained in a

consumer credit report from a consumer credit reporting agency, the user of the consumer credit report shall so advise

the consumer against whom the adverse action has been taken and supply the name and address or addresses of the

consumer credit reporting agency making the report. No person shall be held liable for any violation of this section if he

or she shows by a preponderance of the evidence that, at the time of the alleged violation, he or she maintained

reasonable procedures to assure compliance with this section.

CA Civ. Code §1785.21. Contact Of Reporter By User At Request Of Consumer; Investigation Of Disputed

Item Of Information; Report By Reporter To User And Consumer


(a) A user in its discretion may notify the consumer that upon request the user may contact the consumer reporting

agency and request that the consumer reporting agency investigate the current status of an item or items of information

contained in the consumer report if the consumer disputes the completeness or accuracy of an item or items of

information as provided to the user.

(b) The consumer credit reporting agency may require identification from the user to insure the validity of the request

and, in that regard, may require that the request be put in writing with proper identification.



(c) In the event that any such request is made and identification given in the form or manner demanded by the

consumer credit reporting agency, such agency shall review the file of the consumer and report the current status of the

disputed information to the user and the consumer by the most expeditious means possible.

(d) No user who furnishes information pursuant to this section shall be liable to any person for furnishing such

information.

CA Civ. Code §1785.22. Reselling Report Or Information; Disclosure To Agency; Requirements


(a) A person may not procure a consumer credit report for the purpose of reselling the report or any information therein

unless the person discloses to the consumer credit reporting agency which issues the report the identity of the ultimate

end user and each permissible purpose for which the report is furnished to the end user of the consumer credit report or

information therein.

(b) A person that procures a consumer credit report for the purpose of reselling the report or any information therein

shall do all of the following:

(1) Establish and comply with reasonable procedures designed to ensure that the consumer credit report or

information is resold by the person only for a purpose for which the report may be furnished under this title. These

procedures shall include all of the following:

(A) Identification of each prospective user of the resold consumer credit report or information.

(B) Certification of each purpose for which the consumer credit report or information will be used.

(C) Certification that the consumer credit report or information will be used for no other purpose.

(2) Before reselling the consumer credit report or information, the person shall make reasonable efforts to verify the

identities and certifications made under paragraph (1).

CHAPTER 3.5. OBLIGATIONS OF FURNISHERS OF CREDIT INFORMATION

CA Civ. Code §1785.25. Incomplete Or Inaccurate Information; Knowledge; Notification To Agency; Dispute

As To Completeness Or Accuracy; Notice; Closing Of Open-End Credit Account; Delinquent Accounts;

Investigation Of Dispute; Liability Of Furnisher


[Ed. Note: Recognized as preempted by the federal Fair Credit Reporting Act, in Howard v. Blue Ridge Bank,

N.D.Cal.2005, 371 F.Supp.2d 1139. Limited on preemption grounds by Roybal v. Equifax, 405 F.Supp.2d 1177, 1178+

(E.D.Cal. Oct 19, 2005) (NO. CIV S 05-1207MCEKLM). Users are encouraged to refer to the text of the cases cited for

complete information of provisions affected.]

(a) A person shall not furnish information on a specific transaction or experience to any consumer credit reporting agency

if the person knows or should know the information is incomplete or inaccurate.

(b) A person who (1) in the ordinary course of business regularly and on a routine basis furnishes information to one or

more consumer credit reporting agencies about the person's own transactions or experiences with one or more

consumers and (2) determines that information on a specific transaction or experience so provided to a consumer credit

reporting agency is not complete or accurate, shall promptly notify the consumer credit reporting agency of that

determination and provide to the consumer credit reporting agency any corrections to that information, or any additional

information, that is necessary to make the information provided by the person to the consumer credit reporting agency

complete and accurate.

(c) So long as the completeness or accuracy of any information on a specific transaction or experience furnished by any

person to a consumer credit reporting agency is subject to a continuing dispute between the affected consumer and that

person, the person may not furnish the information to any consumer credit reporting agency without also including a

notice that the information is disputed by the consumer.

(d) A person who regularly furnishes information to a consumer credit reporting agency regarding a consumer who has

an open-end credit account with that person, and which is closed by the consumer, shall notify the consumer credit

reporting agency of the closure of that account by the consumer, in the information regularly furnished for the period in

which the account is closed.

(e) A person who places a delinquent account for collection (internally or by referral to a third party), charges the

delinquent account to profit or loss, or takes similar action, and subsequently furnishes information to a credit reporting

agency regarding that action, shall include within the information furnished the approximate commencement date of the



delinquency which gave rise to that action, unless that date was previously reported to the credit reporting agency.

Nothing in this provision shall require that a delinquency must be reported to a credit reporting agency.

(f) Upon receiving notice of a dispute noticed pursuant to subdivision (a) of Section 1785.16 with regard to the

completeness or accuracy of any information provided to a consumer credit reporting agency, the person that provided

the information shall (1) complete an investigation with respect to the disputed information and report to the consumer

credit reporting agency the results of that investigation before the end of the 30-business-day period beginning on the

date the consumer credit reporting agency receives the notice of dispute from the consumer in accordance with

subdivision (a) of Section 1785.16 and (2) review relevant information submitted to it.

(g) A person who furnishes information to a consumer credit reporting agency is liable for failure to comply with this

section, unless the furnisher establishes by a preponderance of the evidence that, at the time of the failure to comply

with this section, the furnisher maintained reasonable procedures to comply with those provisions.

CA Civ. Code §1785.26. Creditor; Negative Credit Information; Notification To Consumer; Form And Service

Of Notice; Liability Of Creditor


(a) As used in this section:

(1) "Creditor" includes an agent or assignee of a creditor, including an agent engaged in administering or collecting

the creditor's accounts.

(2) "Negative credit information" means information concerning the credit history of a consumer that, because of the

consumer's past delinquencies, late or irregular payment history, insolvency, or any form of default, would

reasonably be expected to affect adversely the consumer's ability to obtain or maintain credit. "Negative credit

information" does not include information or credit histories arising from a nonconsumer transaction or any other

credit transaction outside the scope of this title, nor does it include inquiries about a consumer's credit record.

(b) A creditor may submit negative credit information concerning a consumer to a consumer credit reporting agency,

only if the creditor notifies the consumer affected. After providing this notice, a creditor may submit additional

information to a credit reporting agency respecting the same transaction or extension of credit that gave rise to the

original negative credit information without providing additional notice.

(c) The notice shall be in writing and shall be delivered in person or mailed first class, postage prepaid, to the party's last

known address, prior to or within 30 days after the transmission of the negative credit information.

(1) The notice may be part of any notice of default, billing statement, or other correspondence, and may be included

as preprinted or standard form language in any of these from the creditor to the consumer.

(2) The notice is sufficient if it is in substantially the following form:

"As required by law, you are hereby notified that a negative credit report reflecting on your credit record may be

submitted to a credit reporting agency if you fail to fulfill the terms of your credit obligations."

(3) The notice may, in the creditor's discretion, be more specific than the form given in paragraph (2). The notice

may include, but shall not be limited to, particular information regarding an account or information respecting the

approximate date on which the creditor submitted or intends to submit a negative credit report.

(4) The giving of notice by a creditor as provided in this subdivision does not create any requirement for the creditor

to actually submit negative credit information to a consumer credit reporting agency. However, this section shall not

be construed to authorize the use of notice as provided in this subdivision in violation of the federal Fair Debt

Collection Practices Act (15 U.S.C., Sec. 1592 et seq.).

(d) A creditor is liable for failure to provide notice pursuant to this section, unless the creditor establishes, by a

preponderance of the evidence, that at the time of that failure to give notice the creditor maintained reasonable

procedures to comply with this section.

TITLE 1.6A. INVESTIGATIVE CONSUMER REPORTING AGENCIES

Article 2. Obligations of Investigative Consumer Reporting Agencies

CA Civ. Code §1786.40. Consumer Insurance Request Denied; Notice To Consumer Of Adverse Action


(a) Whenever insurance for personal, family, or household purposes, employment, or the hiring of a dwelling unit

involving a consumer is denied, or the charge for that insurance or the hiring of a dwelling unit is increased, under



circumstances in which a report regarding the consumer was obtained from an investigative consumer reporting agency,

the user of the investigative consumer report shall so advise the consumer against whom the adverse action has been

taken and supply the name and address of the investigative consumer reporting agency making the report.

(b) Whenever insurance for personal, family, or household purposes involving a consumer is denied or the charge for

that insurance is increased, either wholly or in part because of information bearing upon the consumer's general

reputation, personal characteristics, or mode of living, that was obtained from a person other than an investigative

consumer reporting agency, the consumer, or another person related to the consumer and acting on the consumer's

behalf, the user of the information shall, within a reasonable period of time, and upon the consumer's written request for

the reasons for the adverse action received within 60 days after learning of the adverse action, disclose the nature and

substance of the information to the consumer. The user of the information shall clearly and accurately disclose to the

consumer his or her right to make this written request at the time the adverse action is communicated to the consumer.


CA Bulletin 76-3. Disclosure Requirements—California Civil Code §§1785.1 And 1786—Consumer Credit And

Investigative Consumer Reporting Agencies

April 15, 1976

Amendments to the Civil Code, effective January, 1976, will affect those insurers and licensed insurance agents and

brokers utilizing consumer credit reports or investigative consumer reports in underwriting insurance. This bulletin is

intended to highlight those requirements of the statute which will directly affect insurance agents or brokers licensed by

this Department.

Civil Code §§1785.20 and 1786.40 require that USERS of consumer credit and investigative consumer reports who deny

insurance or increase the premiums charged for insurance, on the basis of information contained in those reports, must

disclose to the applicant that such information was the basis for its adverse decision. The user must also supply the

applicant with the name and address of the agency providing the report.

As an example, insurers authorized to transact automobile insurance who elect to cancel an automobile policy within the

first 60 days of coverage on the basis of a consumer credit or investigatory report will be required to so inform the

insured.

If the information is obtained by the user from someone other than the consumer credit or investigative credit reporting

agency, the applicant is entitled, upon written request within sixty days of learning of such adverse decision, to a

disclosure of the nature and substance of that information. In making a disclosure of the information contained in an

investigative consumer report, the user may withhold the substance of medical information contained therein, but shall

inform the applicant of its existence. Such information must be disclosed upon written authorization from the applicant's

attending physician.

Where an investigative consumer report is to be sought in connection with the underwriting of insurance, the insured or

agent must disclose on the application, binder or similar document, signed by the applicant, that an investigative

consumer report regarding the applicant's character, general reputation, personal characteristics, and mode of living may

be made. If no signed document is involved in the transaction, a written disclosure must be made and mailed or

delivered to the applicant within three days after the report is requested.

All insurers are encouraged to review their underwriting procedures and the captioned statutes to secure the fullest

compliance therewith.

The individual insurer is responsible for insuring that copies of this bulletin are disseminated to all of his agents.

OTHER PROVISIONS

[Ed. Note: Confidentiality, consent and disclosure requirements related to genetic testing and HIV/AIDS testing are not

reproduced in the Privacy Compliance Service but are located in ACLI’s Risk Classification Compliance Service. In

California, refer to §§799 et seq., 10140.1, 10146 et seq. of the Insurance Code; §§1374.7, 120980 and 120990 of the

Health and Safety Code; and California Code of Regulations title 10, §2218.20 for these provisions.]



CIVIL CODE



TITLE 1.3. CREDIT CARDS

CA Civ. Code §1747.08. Personal Identification Information; Prohibition Upon Collection Of Data Upon Credit

Card Transaction Form; Exemptions; Civil Penalties And Injunctive Relief


(a) Except as provided in subdivision (c), no person, firm, partnership, association, or corporation that accepts credit

cards for the transaction of business shall do any of the following:

(1) Request, or require as a condition to accepting the credit card as payment in full or in part for goods or services,

the cardholder to write any personal identification information upon the credit card transaction form or otherwise.

(2) Request, or require as a condition to accepting the credit card as payment in full or in part for goods or services,

the cardholder to provide personal identification information, which the person, firm, partnership, association, or

corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card

transaction form or otherwise.

(3) Utilize, in any credit card transaction, a credit card form which contains preprinted spaces specifically designated

for filling in any personal identification information of the cardholder.

(b) For purposes of this section "personal identification information," means information concerning the cardholder, other

than information set forth on the credit card, and including, but not limited to, the cardholder's address and telephone

number.

(c) Subdivision (a) does not apply in the following instances:

(1) If the credit card is being used as a deposit to secure payment in the event of default, loss, damage, or other

similar occurrence.

(2) Cash advance transactions.

(3) If any of the following applies:

(A) The person, firm, partnership, association, or corporation accepting the credit card is contractually obligated

to provide personal identification information in order to complete the credit card transaction.

(B) The person, firm, partnership, association, or corporation accepting the credit card in a sales transaction at a

retail motor fuel dispenser or retail motor fuel payment island automated cashier uses the Zip Code information

solely for prevention of fraud, theft, or identity theft.

(C) The person, firm, partnership, association, or corporation accepting the credit card is obligated to collect and

record the personal identification information by federal or state law or regulation.

(4) If personal identification information is required for a special purpose incidental but related to the individual credit

card transaction, including, but not limited to, information relating to shipping, delivery, servicing, or installation of

the purchased merchandise, or for special orders.

(d) This section does not prohibit any person, firm, partnership, association, or corporation from requiring the

cardholder, as a condition to accepting the credit card as payment in full or in part for goods or services, to provide

reasonable forms of positive identification, which may include a driver's license or a California state identification card, or

where one of these is not available, another form of photo identification, provided that none of the information contained

thereon is written or recorded on the credit card transaction form or otherwise. If the cardholder pays for the transaction

with a credit card number and does not make the credit card available upon request to verify the number, the

cardholder's driver's license number or identification card number may be recorded on the credit card transaction form or

otherwise.

(e) Any person who violates this section shall be subject to a civil penalty not to exceed two hundred fifty dollars ($250)

for the first violation and one thousand dollars ($1,000) for each subsequent violation, to be assessed and collected in a

civil action brought by the person paying with a credit card, by the Attorney General, or by the district attorney or city

attorney of the county or city in which the violation occurred. However, no civil penalty shall be assessed for a violation

of this section if the defendant shows by a preponderance of the evidence that the violation was not intentional and

resulted from a bona fide error made notwithstanding the defendant's maintenance of procedures reasonably adopted to



avoid that error. When collected, the civil penalty shall be payable, as appropriate, to the person paying with a credit

card who brought the action, or to the general fund of whichever governmental entity brought the action to assess the

civil penalty.

(f) The Attorney General, or any district attorney or city attorney within his or her respective jurisdiction, may bring an

action in the superior court in the name of the people of the State of California to enjoin violation of subdivision (a) and,

upon notice to the defendant of not less than five days, to temporarily restrain and enjoin the violation. If it appears to

the satisfaction of the court that the defendant has, in fact, violated subdivision (a), the court may issue an injunction

restraining further violations, without requiring proof that any person has been damaged by the violation. In these

proceedings, if the court finds that the defendant has violated subdivision (a), the court may direct the defendant to pay

any or all costs incurred by the Attorney General, district attorney, or city attorney in seeking or obtaining injunctive

relief pursuant to this subdivision.

(g) Actions for collection of civil penalties under subdivision (e) and for injunctive relief under subdivision (f) may be

consolidated.

(h) The changes made to this section by Chapter 458 of the Statutes of 1995 apply only to credit card transactions

entered into on and after January 1, 1996. Nothing in those changes shall be construed to affect any civil action which

was filed before January 1, 1996.

Return to Top

© American Council of Life Insurers, 101 Constitution Avenue, NW,

Washington, DC 20001-2133. All rights reserved.



Privacy Compliance Service: CALIFORNIA Page 1 of 90

Documents

Transcript of Privacy Compliance Service: CALIFORNIA Page 1 of 90